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ryptography-the use of secret codes- 
until recently the sacrosanct province 
puzzle geeks and government spies, 
just in time for the Internet explosion, a band 
outsiders triggered a revolution in this once-clc 

tered field. In the words of Harvard Law professor 

■ 

Lawrence Lessig, the powerful mathematical tools 
they created were "the most important technolog- 
ical breakthrough in the last one thousand years." 
These mighty algorithms would solve the critical 
problem for all of us in the twenty-first century- 
how to talk to one another, do business, and keep 
our personal information private in a networked 
world. But this was a revolution that the spies and 
the Feds wanted to kill. . . . 

In this first full-scale account of the great Code 
War that shook the computer age, Newsweek 
technology writer and bestselling author Steven 
Levy lucidly outlines the development of a "peo- 
ple's" cryptography and its head-on collision with 
the U.S. government. Crypto is about privacy in 
the information age and about the nerds and 
visionaries who, over twenty years ago, predicted 
that the Internet's greatest virtue-free access to 
information-was also its most perilous drawback: 
a possible end to privacy. 

Those fearless "crypto rebels" come alive here in a 
narrative that is as dramatic as a real-life thriller, a 
hugely readable blend of geniuses-at-work, sci-fi, 
and political intrigue, anchored by the firm voice 
of a guide who knows technology, politics, and 
digital culture. There is Whit Diffie, the long- 
haired Newton of c.rypto who invented 
astounding "public key" solution; David 
whose "anonymous digital money" act 
threatened the global financial infrastruc 
and "cypherpunks" like Phil Zimmermann 


freely distributed military-strength codes u 
the nose of the U.S. government. There is also 
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preface 


f he telegraph, telephone, radio, and especially the computer have put 
everyone on the globe within earshot — at the price of our privacy. It 
may feel like we’re performing an intimate act when, sequestered in 
our rooms and cubicles, we casually use our cell phones and comput- 
ers to transmit our thoughts, confidences, business plans, and even 
our money. But clever eavesdroppers, and sometimes even not-so- 
clever ones, can hear it all. We think we’re whispering, but we’re really 
broadcasting. 

A potential antidote exists: cryptography, the use of secret codes 
and ciphers to scramble information so that it’s worthless to anyone 
but the intended recipients. And it’s through the magic of cryptog- 
raphy that many communications conventions of the real world — 
such as signatures, contracts, receipts, and even poker games — will 
find their way to the ubiquitous electronic commons. But as recently 
as the early 1970s, a deafening silence prevailed over this amazing tech- 
nology. Governments, particularly that of the United States, managed 
to stifle open discussion on any aspect of the subject that ventured 
beyond schoolboy science. Anyone who pursued the fundamental 
issues about crypto, or, worse, attempted to create new codes or crack 
old ones, was doomed to a solitary quest that typically led to closed 
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doors, suddenly terminated phone connections, or even subtle warn- 
ings to think about something else. 

The crypto embargo had a sound rationale: the very essence of 
cryptography is obscurity, and the exposure that comes from the 
dimmest ray of sunlight illuminating the working of a government 
cipher could result in catastrophic damage. An outsider who knew 
how our encryption worked could make his or her own codes; a foe 
who learned what codes we could break would shun those codes 
thereafter. 

But what if governments were not the only potential beneficiaries of 
cryptography? What if the people themselves needed it, to protect 
their communications and personal data from any and all intruders, 
including the government itself? Isn’t everybody entitled to privacy? 
Doesn’t the advent of computer communications mean that everyone 
should have access to the sophisticated tools that allow the exchange 
of words with lawyers and lovers, coworkers and customers, physi- 
cians and priests with the same confidence granted face-to-face con- 
versations behind closed doors? 

This book tells the story of the people who asked those questions 
and created a revolution in the field that is destined to change all our 
lives. It is also the story of those who did their best to make the ques- 
tions go away. The former were nobodies: computer hackers, aca- 
demics, and policy wonks. The latter were the most powerful people 
in the world: spies, and generals, and presidents. Guess who won. 
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YKl ary Fischer loathed Whitfield Diffie on sight. He was a type she 
knew all too well, an MIT brainiac whose arrogance was a smoke 
screen for a massive personality disorder. The year of the meeting was 
1969; the location a hardware store near Central Square in Cam- 
bridge, Massachusetts. Over his shoulder he carried a length of wire 
apparently destined for service as caging material for some sort of pet. 
This was a typical purchase for Diffie, whose exotic animal collection 
included a nine-foot python, a skunk, and a rare genetta genetta, a 
furry mongooselike creature whose gland secretions commonly 
evoked severe allergic reactions in people. It lived on a diet of live rats 
and at unpredictable moments would nip startled human admirers 
with needlelike fangs. An owner of such a creature would normally be 
of interest to Mary Fischer, an animal lover who at that very moment 
had a squirrel in her pocket. At home she also had a skunk as well as 
two dogs, a fox, a white-wing trumpeter bird, and two South Ameri- 
can kinkajous. Diffie saw that she was buying some cage clips and 
abruptly focused his attention on her. 

In future years, Whit Diffie would be known — extraordinarily well 
known — as the codiscoverer of public key cryptography, an icono- 
graphic figure with his shoulder-length blond hair, Buffalo Bill beard, 
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and his bespoke suits cut by London tailors. But back in those days he 
was a wiry, crew-cut youth with “the angriest face I’d ever seen,” Fis- 
cher says, and he immediately began peppering Mary Fischer with 
questions. You keep exotic animals? Then you’ll need this, and this, 
and this. He took things out of her hands and put other things in as 
he lectured. His rudeness appalled Mary. But she hadn’t yet cracked 
his code. 

Mary Fischer didn’t know that Diffie was spending prodigious 
amounts of time thinking about problems in computer security and 
their mathematical implications. She had no idea that he was casting 
about for a new way to preserve secrets. All she knew was that Whit 
Diffie was unappetizing and he loved animals. But animals meant a lot 
to her, and soon Diffie and his girlfriend began visiting Mary and her 
husband, sometimes accompanied by their creatures. The skunks got 
along, some ferrets were exchanged, and Diffie’s visits to her home 
became routine. 

Mary began to reconsider her initial repulsion to Diffie. But, in his 
failure to decode her, he seemed generally oblivious to her. On his vis- 
its he interacted only with the man of the house. After Mary and her 
husband moved to New Jersey, where he started veterinary school, she 
would sometimes pick up the ringing phone and hear Diffie’s cuttingly 
precise voice brusquely ask for her spouse, as if she were an answer- 
ing service. One day she made her feelings plain. “Look,” she said, “I 
understand I’m not as bright as you and some of your friends, and I 
understand your friendship is primarily with my husband. But I don’t 
really think it would kill you to say hello.” 

The message got through. Diffie’s demeanor toward Mary dramati- 
cally improved, and she was not just startled but saddened when one 
day in 1971 he told her that he was going to travel for a while. Mary 
didn’t know yet that Whit Diffie was preparing himself for a solitary — 
and romantic — quest, looking for answers to questions that the 
United States government didn’t want asked. The odds against his 
success were astronomical, because he was confronting a near com- 
plete blockade of relevant information on a subject that, on its most 
sophisticated levels, was almost unspeakably obscure. What were the 
odds against such an unheralded outsider’s transforming an entire 
field with an original discovery that would redefine the ground rules 
for personal privacy in the computer era? 
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The length of those odds would shorten with the role of Diffie’s 
courtship of Mary Fischer in overcoming them — and a scientific 
breakthrough would result that affects every citizen in the digital age. 
“The discovery of public key,” says Fischer, “was a romance.” 


Bailey Whitfield Diffie was born on the eve of D-Day, June 5, 1944. 
His professor father had just completed a wartime sabbatical in gov- 
ernment service. (Though he disliked Communists — more for their 
humorless single-mindedness than their ideology — Whit Diffie’s father 
was a passionate antifascist and often lectured against the repressive 
movement in Europe.) Both of Whit’s parents were educated people. 
Bailey Wallace Diffie taught Iberian history and culture at City College 
in New York. Diffie’s mother was the former Justine Louise Whitfield, 
a stockbroker’s daughter from Tennessee who met her husband while 
working in the foreign service in Spain. She was a writer and scholar 
who studied Madame de Sevigne, a figure in the court of Louis XIII 
and Louis XIV. 

Whit Diffie was always an independent sort. As one early friend re- 
marked, “That kid had an alternative lifestyle at age five.” Diffie didn’t 
learn to read until he was ten years old. There was no question of dis- 
ability; he simply preferred that his parents read to him, which seem- 
ingly they did, quite patiently. Apparently both parents understood 
that their son was extremely intelligent and obstinately contrarian, so 
they didn’t press him. Finally, in the fifth grade, Diffie spontaneously 
worked his way through a tome called The Space Cat, and immedi- 
ately progressed to the Oz books. 

Later that year his teacher at P.S. 178 — “Her name was Mary 
Collins, and if she is still alive I’d like to find her,” Diffie would say 
decades later — spent an afternoon explaining something that would 
stick with him for a very long time: the basics of cryptography. Spe- 
cifically, she described how one would go about solving something 
known as a substitution cipher. 

Diffie found cryptography a delightfully conspiratorial means of 
expression. Its users collaborate to keep secrets in a world of prying 
eyes. A sender attempts this by transforming a private message to an 
altered state, a sort of mystery language: encryption. Once the mes- 
sage is transformed into a cacophonous babble, potential eavesdroppers 
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are foiled. Only those in possession of the rules of transformation 
can restore the disorder back to the harmony of the message as it was 
first inscribed: decryption. Those who don’t have that knowledge and 
try to decrypt messages without the secret “keys” are practicing 
“cryptanalysis.” 

A substitution cipher is one where someone creates ciphertext (the 
scrambled message) by switching the letters of the original message, 
or plaintext, with other letters according to a prearranged plan. The 
most basic of these has come to be known as the Caesar cipher, sup- 
posedly used by Julius Caesar himself. This system simply moved 
every character in the plaintext to the letter that occurs three notches 
later in the alphabet. (For instance, a Caesar cipher with its “key” of 
three would change A to D, B to E, and so on.) Slightly more chal- 
lenging to an armchair cryptanalyst is a cryptosystem that matches 
every letter in the alphabet to one in a second, randomly rearranged 
alphabet. Newspaper pages often feature a daily “cryptogram” that 
encodes an aphorism or pithy quote in such a manner. These are by 
and large easy to crack because of the identifiable frequency of certain 
letters and the all -too -often predictable way they are distributed in 
words. 

Like countless other curious young boys before him, Whit Diffie 
was thrilled by the process. In his history of cryptography, The Code- 
breakers, author David Kahn probes the emotional lures of secret writ- 
ing, citing Freud’s theory that the child’s impulse to learn is tied to the 
desire to view the forbidden. “If you’re a guy, you’re trying to look up 
women’s skirts,” says Kahn. “When you get down to it basically, that’s 
what it is, an urge to learn.” For many, the fascination of crypto also 
deals with the thrill that comes from cracking encoded messages. 
Every intercepted ciphertext is, in effect, an invitation to assume the 
role of eavesdropper, intruder, voyeur. In any case, it wasn’t the pros- 
pect of breaking codes that excited Whit Diffie but the more subtle 
pursuit of creating codes to protect information. “I never became a 
very good puzzle solver, and I never worked on solving codes very 
much then or later,” he now says. He would always prefer keeping 
secrets to violating the secrets of others. 

Diffie’s response to Miss Collins’s cryptography lesson was charac- 
teristic. He ignored her homework assignment, but independently 
pursued the subject in his own methodical, relentless fashion. He was 
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particularly interested in her off-the-cuff remark that there were more 
complicated ciphers, including a foolproof “U.S. Code.” He begged 
his father to check out all the books in the City College library that 
dealt with cryptography. Bailey Diffie promptly returned with an arm- 
load of books. Two of them were written for children; Diffie quickly 
devoured those. But then he got bogged down in Helen Forche 
Gaines’s Cryptanalysis, a rather sophisticated 1939 tome. 

Gaines offered a well-organized set of challenges that would pro- 
vide hardworking amateurs an education in classical cryptographic 
systems. Many of these were refinements of advances made centuries 
ago, which in turn were more complicated variations of the earlier 
substitution ciphers. The best known were the polyalphabetic systems, 
first hatched in Vatican catacombs and later revealed in the early 
1500s by a German monk named Johannes Trithemius. Published in 
1518 — two years after his death — Trithemius’s Polygraphia intro- 
duced the use of tables, or tableaux, wherein each line was a separate, 
reshuffled alphabet. When you encoded your message, you trans- 
formed the first character of the text using the alphabet on the first line 
of the tableau. For the second character of your message you’d repeat 
the process with the scrambled alphabet on the second line, and so on. 

On the heels of Trithemius came the innovations of a sixteenth- 
century French diplomat named Blaise de Vigenere. Here was a man 
who had penetrated the soul of crypto. “All things in the world consti- 
tute a cipher,” he once observed. “All nature is merely a cipher and a 
secret writing.” In the most famous of almost two dozen books he pro- 
duced after his retirement from the diplomatic service, Vigenere pro- 
duced devastating variations on previous polyalphabetic systems, 
adding complexity with a less predictable tableaux and “autokeys” that 
made use of the plaintext itself as a streaming key. The Vigenere sys- 
tem won a lasting reputation for security — it was known as le chiffre 
indechiffrable — so much so that until almost the twentieth century, 
some armchair cryptographers believed that a certain streamlined ver- 
sion of the system was the sine qua non of cryptosystems. 

Actually, by the time Diffie encountered them, the cryptologic arts 
had progressed dramatically since Vigenere. Still, Diffie’s juvenile 
inquiries led him to think that Vigenere was the endpoint of the sub- 
ject. Bored by the thought that cryptography was a problem already 
solved, he didn’t delve too deeply into Gaines’s book. His obsession 
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with codes faded. At the time, he also felt that everybody was interested 
in codes, and, as a dogged contrarian, “this made it seem vulgar to 
me,” he later recalled. “Instead, I learned about ancient fortifications, 
military maps, camouflage, poison gas, and germ warfare.” He came 
to share his interests with a small group of teenage friends, and even 
considered pursuing a career in the armed forces, checking out the 
ROTC programs of universities he was interested in. But only one of 
Diffie’s militia -minded clique actually enlisted in one of the armed 
services — and died in Vietnam. 

Ultimately it was mathematics, not munitions, which dictated 
Diffie’s choice of college. Math offered one thing that history did not: 
a sense of absolute truth. “I think that one of the central dilemmas of 
Whit’s life has been to figure out what is really true,” explains Mary 
Fischer, who says that early in the boy’s life, Diffie’s father was called 
to school and told that his son was a genius. As Fischer tells it, Bailey 
Diffie’s reaction was to offer a ruse, in hopes that it would provoke 
discipline. He told Diffie that he wasn’t as bright as other boys, but if 
he worked harder than those favored with high intelligence and 
applied himself, he might be able to achieve something. “With some 
children that might have worked,” says Fischer, “but with Whit it was 
a bad tactic. It shook him for years, and I think it gave Whit a real 
hunger for what was ground -zero truth.” 

Though Diffie performed competently in school, he never did apply 
himself to the degree his father hoped. He was sometimes unruly in 
class; he worked best with material untainted by the stigma of having 
been assigned. Once a calculus teacher, fed up with Whit’s noise- 
making, remarked, “One day you’ll be roasting marshmallows in 
here!” and sure enough, the next class Diffie brought a Sterno can 
to toast the marshmallows a friend smuggled into school. He failed 
to fulfill the requirements for a full academic diploma, settling for 
a minimal distinction known as a general diploma. Nor did he attend 
graduation; he left with his father on a European trip. (The great 
tragedy of Diffie’s high school years was the death of his mother; he 
still avoids talking about it.) Only stratospheric scores on standardized 
tests enabled him to enter the Massachusetts Institute of Technology 
in 1961. 

“I wasn’t a very good student there, either,” Diffie admits. He was, 
however, dazzled by the brainpower of the student body, a collection 
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of incandescent outcasts, visionaries, and prodigies, some of whom 
could solve in a minute problems that would take Diffie a day to com- 
plete. Of these mental luminaries, Whitfield Diffie might have seemed 
the least likely to produce a world -changing breakthrough. But since 
his brilliant friends were human beings and not high-powered 
automata, their trajectories proved far from predictable. Some of the 
very brightest wound up cycling through esoteric computer simu- 
lations, or proselytizing smart drugs, or teaching Transcendental 
Meditation. 

Contemporaries from MIT recall Diffie vividly as a quirky teenager 
with blond hair sticking out from his head by two inches (“You wanted 
to take a lawn mower to it,” says a friend). He bounded through cam- 
pus on tiptoe, a weird walk that became an unmistakable signature in 
motion. But he was noted for his deep understanding of numbers as 
well. 

He also took up computer programming — at first, Diffie now says, 
to get out of the draft. “I thought of computers as very low class,” he 
says. “I thought of myself as a pure mathematician and was interested 
in partial differential equations and topology and things like that.” But 
by 1965, when Diffie graduated from MIT, the Vietnam War was rag- 
ing and he found himself deeply disenchanted with the trappings of 
armed conflict. “I had become a peacenik,” he says. Not to mention 
a full-blown eccentric. He and his girlfriend lived in a small Cam- 
bridge apartment that eventually became packed with glass-walled 
tanks to hold their prodigious collection of exotic fauna. An aficio- 
nado of Chinese food, Diffie was also known for carrying around a 
pair of elegant chopsticks, much the way a serious billiard player totes 
his favorite cue. 

To avoid the draft, Diffie accepted a job at the Mitre Corporation, 
which, as a defense contractor, could shelter its young employees 
from military service. His work had no direct connection to the war 
effort: he worked under a mathematician named Roland Silver, team- 
ing up with another colleague to write a software package called Math- 
lab, which later evolved into a well-known symbolic mathematical 
manipulation system called Macsyma. (Though few knew of the nature 
of his contribution, the nerd cognoscenti understood that Diffie’s work 
here involved a virtuosic mastery of arithmetic, numbers theory, and 
computer programming.) 
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Best of all, Diffie’s team did not have to work at the Mitre offices 
but, in 1 966, became a resident guest of the esteemed Marvin Minsky 
in the MIT artificial intelligence lab. During the three years he worked 
there, Diffie became part of this storied experiment in making 
machines smart, in pushing the frontiers of computer programming 
and in establishing an information-sharing ethos as the ground zero of 
computer culture. One aspect of this hacker -oriented society would 
turn out to be particularly relevant to the direction that Diffie’s inter- 
ests were heading. Just as some words in various languages have no 
meaning to drastically different civilizations (why would a tropical 
society need to speak of “snow”?), the AI lab had no technological 
equivalent for a term like “proprietary.” Information was assumed to 
be as accessible as the air itself. As a consequence, there were no soft- 
ware locks on the operating system written by the MIT wizards. 

Unlike his peers, however, Diffie believed that technology should 
offer a sense of privacy. And unlike some of his hacker colleagues, 
whose greatest kick came from playing in forbidden computer play- 
grounds, Diffie was drawn to questions of what software could be 
written to ensure that someone’s files could not be accessed by intrud- 
ers. To be sure, he participated in the literal safecracking that was a 
standard hobby in the AI lab: a favorite hacker pastime involved dis- 
covering new ways of opening government-approved secure safes. But 
Diffie got more of a kick from the protection of a strongly built safe 
than the rush of breaking a poorly designed system of locks and tum- 
blers. He liked to keep his things in high -security filing cabinets and 
military safes. 

In the information age, however, the ultimate information strong- 
hold resides in software, not hardware: virtual safes protecting precious 
data. Information, after all, represents the treasure of the modern age, 
as valuable as all the doubloons and bangles of previous eras. The field 
charged with this responsibility back then was computer security, then 
in a nascent stage. Not many people bothered to discuss its philo- 
sophical underpinnings. But Diffie would often engage his boss in con- 
versations on security. Inevitably, cryptography entered into their 
discussions. 

Silver had some knowledge in the field, and the elder man opened 
Diffie’s eyes to things unimaginable in his fifth-grade independent 
study. One day the pair sat in the cafeteria at Tech Square, the boxy 
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nine -story building whose upper levels housed the AI lab, and Silver 
carefully explained to Diffie how modern cryptosystems worked. 

Naturally, they depended on machinery. The machines that did 
the work — whether electromechanical devices like the Enigma cipher 
machines used by the Germans in World War II, or a contemporary 
computer -driven system — scrambled messages and documents by 
applying a unique recipe that would change the message, character by 
character. (The recipe for those transformations would be a set of 
complicated mathematical formulas or algorithms.) Only someone 
who had an identical machine or software program could reverse the 
process and divine the plaintext, with use of the special numerical key 
that had helped encrypt it. 

In the case of the Enigma machines, that key involved “settings,” 
the positions of the various code wheels that determined how each let- 
ter would be changed. Each day the encrypters would reset the wheels 
in a different way; those receiving the message would already have 
been informed of what those settings should be on that given day. 
That’s why the Allied coup of recovering live Enigma machines — the 
key intelligence breakthrough of World War II — was only part of the 
elaborate codebreaking process that took place at Bletchley Park in 
England. The cryptanalysts also had to learn the process by which the 
Axis foes made their settings; then they could conduct what was 
known as a “brute force” attack that required going through all the 
possible combinations of settings. This could be efficiently done only 
by creating machines that were the forerunners of modern computers. 

With computers, the equivalent of Enigma settings would become 
a digital key, a long string of numbers that would help determine how 
the system would transform the original message. Of course, the 
intended recipient of the message had to have not only the same com- 
puter program, but also that same key. But both mechanical and digi- 
tal systems had two components: a so-called black box with the rules 
of transformation and a key that you’d feed into the black box along 
with your everyday message in plain English. Such was the background 
for what Silver talked about to Diffie that day— but not being privy 
to government secrets, he actually knew few of the details. He was 
able to explain, however, how computer cryptosystems generated a 
series of digits that represented a keystream, and how that would be 
“xor-ed” with the plaintext stream to get a ciphertext. (As any computer 
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scientist knows, an xor operation involves pairing a digital bit with 
another bit, and generating a one or zero depending on whether they 
match.) If the key is suitably unpredictable, your output would be the 
most imponderable string of gibberish imaginable, recoverable (one 
hoped) only by using that same key to reverse the process. 

Imponderable, of course, is a relative term, but those who devised 
cryptosystems had a standard to live up to: randomness. The idea was 
to create ciphertext that appeared to be as close to a random string of 
characters as possible. Otherwise, a smart, dedicated, and resourceful 
codebreaker could seize upon even the most subtle of patterns and 
eventually reconstruct the original message. A totally random stream 
could produce uncrackable code — this essentially represented the 
most secure form of encryption possible, the so-called one-time pad, 
a system that provided a truly randomly chosen substitute for every 
letter in the plaintext. One-time pads were the only cryptographic solu- 
tion that was mathematically certain to be impervious to cryptanalysis. 

The problem with one-time pads, however, was that for every 
character in the message, you needed a different number in the “key 
material” that originally transformed readable plaintext into jumbled 
ciphertext. In other words, a key for a one-time pad system had to be 
at least as long as the message and couldn’t be used more than once. 
The unwieldiness of the process made it difficult to implement in the 
field. Even serious attempts to deploy one-time pads were commonly 
undermined by those tempted to save time and energy by reusing 
a pad. 

His conversations with Silver excited Diffie. The subject of “pseudo- 
randomness” was clearly of importance to both the mathematical and 
real worlds, where security and privacy depended on the effective- 
ness of those codes. How close to randomness could we go? Obvi- 
ously, there was a lot of work going on to discover the answer to that 
question — but the work was going on behind steep barriers erected 
and maintained by the government’s intelligence agencies. 

In fact, just about all the news about modern cryptography was 
behind that barrier. Everyone else had to rely on the same texts 
Whitfield Diffie had encountered in the fifth grade. And they didn’t 
talk about how one went about changing the orderly procession of 
ones and zeros in a computer message to a different set of totally 
inscrutable ones and zeros using state-of-the-art stuff like Fibonacci 
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generators, shift registers, or nonlinear feedback logic. Diffie resented 
this. “A well -developed technology is being kept secret!” he thought. 
He began to stew over this injustice. One day, walking with Silver 
along Mass Avenue near the railroad tracks, he spilled his concerns. 
Cryptography is vital to human privacy! he railed. Maybe, he sug- 
gested, passionate researchers in the public sector should attempt to 
liberate the subject. “If we put our minds to it,” he told Silver, “we 
could rediscover a lot of that material.” That is, they could virtually 
declassify it. 

Silver was skeptical. “A lot of very smart people work at the NSA,” 
he said, referring to the National Security Agency, the U.S. govern- 
ment’s citadel of cryptography. After all, Silver explained, this organi- 
zation had not only some of the best brains in the country, but billions 
of dollars in support. Its workers had years of experience and full 
access to recent cryptographic discoveries and techniques unknown to 
the hoi polloi — however intelligent — without high security clearances. 
The agency had supercomputers in its basement that made even 
MIT’s state-of-the-art mainframe computers look like pocket calcula- 
tors. How could outsiders like Diffie and Silver hope to match that? 

Silver also told Diffie a story about his own NSA experience years 
earlier while writing a random number generator for the Digital 
Equipment Corporation’s PDP- 1 machine. He needed some informa- 
tion: his reasons were noncryptographic; he simply had a certain 
mathematical need, a polynomial number with some particular prop- 
erties. He was sure that a friend of his at the NSA would know the 
answer instantly, and he put in a call. “Yes, I do know,” said the 
friend. What was it? After a very long silence, during which Silver 
assumed that the friend was asking permission, the NSA scientist 
returned to the phone. Silver heard, in a conspiratorial whisper, “x to 
the twenty -fifth, plus * to the seventh, plus one.” 

Diffie was outraged at this secretiveness. He’d heard about the 
NSA, of course, but hadn’t known that much about it. Just what was 
this organization, which acted as if it actually owned mathematical 
truths? 


Created by President Truman’s top-secret order in the fall of 1952, the 
National Security Agency was a multibillion -dollar organization that 
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operated totally in the “black” region of government, where only those 
who could prove a “need to know” were entitled to knowledge. (It was 
not until five years after its founding that a government document 
even acknowledged its existence.) The NSA’s cryptographic mission is 
twofold: to maintain the security of government information and to 
gather foreign intelligence. The double-sided nature of its duty led the 
NSA to organize itself into two major divisions: Communications 
Security, or COMSEC, which tries to devise codes that cannot be bro- 
ken, and Communications Intelligence, or COMINT, which collects 
and decodes information from around the world. (Since the latter 
function most often involves intercepting and interpreting electronic 
information, it is more broadly referred to as signals intelligence, or 
SIGINT.) Over the years the NSA has established a vast network of 
listening devices and sensors to gather signals from even the most 
obscure reaches of the globe, an operation that expanded beyond the 
planetary atmosphere when the satellite era began in the 1960s. 

In the early 1970s, none of this was discussed publicly. Within the 
Beltway, people in the know jokingly referred to the organizational 
acronym as No Such Agency. Those very few members of Congress 
who had oversight responsibility for intelligence funding would learn 
what had to be conveyed only in shielded rooms, swept for listening 
devices. 

Access to the organization’s headquarters at Fort George Meade, 
Maryland, was, as one might imagine, severely limited. A triple-barbed- 
wired and electrified fence kept outsiders at bay. To work within the 
gates, of course, one had to survive a rigid vetting. 

“By joining NSA,” reads the introduction to a handbook presented 
to new hires, “you have been given an opportunity to participate in the 
activities of one of the most important intelligence organizations of 
the United States government. At the same time you have assumed a 
trust which carries with it a most important individual responsibility — 
the safeguarding of sensitive information vital to the security of our 
nation.” 

Since all the salient information about modern crypto was withheld 
from public view, outsiders could only guess at what happened in 
“The Fort.” The NSA undoubtedly operated the most sophisticated 
snooping operation in the world. It was universally assumed (though 
never admitted) that no foreign phone call, radio broadcast, or tele- 
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graph transmission was safe from the agency’s global vacuum cleaner. 
Signals were sucked up and the content analyzed with multi-MIPS 
computers, combing the text for anything of value. (These suspicions 
were later confirmed with leaks of Project Echelon, the NSA’s ambi- 
tious program to monitor foreign communications.) Were the results 
worth the billions of dollars and the questionable morality of the effort 
itself? This was something known only to the very few government 
officials who received briefings on the fabled intercepts — and even 
they were dependent on the quality of information that came from the 
agency itself. 

What’s more, the NSA considered itself the sole repository of cryp- 
tographic information in the country — not just that used by the civil- 
ian government and all the armed forces, as the law dictated, but that 
used by the private sector as well. Ultimately, the triple-depth electri- 
fied and barbed-wire fence surrounding its headquarters was not only 
a physical barrier but a metaphor for the NSA’s near-fanatical drive to 
hide information about itself and its activities. In the United States of 
America, serious crypto existed only behind the Triple Fence. 

Every day the NSA pored over new ideas for cryptographic systems 
submitted by would-be innovators in the field. “Their ideas disappear 
into the black maw of the NSA, and may see service in American cryp- 
tography,” wrote David Kahn, “but security prevents the inventor 
from ever knowing this — and may enable the agency or its employees 
to utilize his ideas without compensation.” But even those who did 
not submit ideas were not free of the NSA’s stranglehold. The agency 
monitored all patent requests concerning cryptography and had the 
legal power to classify any of those it deemed too powerful to fall into 
the public domain. 

As he learned more about the NSA, Whit Diffie came to feel a bit 
foolish that despite his having heard of the agency, the extent of its 
power had only belatedly dawned on him. Diffie had actually visited 
the Institute for Defense Analysis (IDA) at Princeton, a quasi-private 
outpost of the NSA, but he’d had only the vaguest idea about the orga- 
nization’s mission at the time. Not that it would have helped him get 
information from those crypto illuminati. One may socialize and even 
exchange thoughts with those who had ventured behind the Triple 
Fence, but only as long as those thoughts did not involve the forbid- 
den subject of cryptography. 
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Cryptography, however, was exactly what Diffie wanted to talk 
about. He wanted to learn as much as he could, to have far-ranging 
conversations with the leaders in the field. Even the foot soldiers in the 
field would do. But he quickly became frustrated with those who 
would not, or could not, talk about it. 

For instance, Diffie quizzed an MIT colleague named Dan Edwards, 
who would join the NSA after graduating. “He was extremely unhelp- 
ful,” Diffie later reported, “failing to reveal things which were certainly 
not classified and which I later saw in the bibliography of his thesis.” 
And when a colleague at Mitre went to work at IDA, Diffie asked him 
if he could share anything about his work. After a tantalizing pause: no. 

Perhaps the idea of pursuing the forbidden was simply irresistible 
to a contrarian like Diffie. He kept thinking about crypto and the silent 
embargo against it. And the more he thought about the problem, the 
more he came to understand how deeply, deeply important the issue 
was. Especially in what he saw as the coming era of computational 
ubiquity. As more people used computers, wireless telephones, and 
other electronic devices, they would demand cryptography. Just as the 
invention of the telegraph upped the cryptographic ante by moving 
messages thousands of miles in the open, presenting a ripe opportu- 
nity for eavesdroppers of every stripe, the computer age would be 
moving billions of messages previously committed to paper into the 
realm of bits. Unencrypted, those bits were low-hanging fruit for 
snoopers. Could cryptography, that science kept intentionally opaque 
by the forces of government, help out? The answer was as clear as 
plaintext. Of course it could! 

Right at MIT there was an excellent example of a need for a cryp- 
tographic solution to a big problem. The main computer system there 
was called Compatible Time Sharing System (CTSS). It was one of 
the first that used time -sharing, an arrangement by which several 
users could work on the machine simultaneously. Obviously, the use 
of a shared computer required some protocols to protect the privacy 
of each person’s information. CTSS performed this by assigning a 
password to each user; his or her files would be in the equivalent of a 
locked mini-storage space, and each password would be the equiva- 
lent of the key that unlocked the door to that area. Passwords were dis- 
tributed and maintained by a human being, the system operator. This 
central authority figure in essence controlled the privacy of every user. 
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Even if he or she were scrupulously honest about protecting the pass- 
words, the very fact that they existed within a centralized system pro- 
vided an opportunity for compromise. Outside authorities had a clear 
shot at that information: simply present the system operator with a 
subpoena. “That person would sell you out,” says Diffie, “because he 
had no interest in defying the order and going to jail to protect your 
data.” 

Diffie believed in what he called “a decentralized view of authority.” 
By creating the proper cryptographic tools, he felt, you could solve 
the problem — by transferring the data protection from a disinterested 
third party to the actual user, the one whose privacy was actually at 
risk. He fantasized about a company that would invent and implement 
such tools. He even had a name for this imaginary concern: Privacy 
Protection, Incorporated. 

But in Diffie’s fantasy, it was someone else who devised the solution, 
someone else who founded the company — not him. Though he was 
becoming absolutely sure that the problems of maintaining privacy in 
a non -crypto -protected world were insurmountable, he assumed that 
others would be better qualified, better motivated, more practically ori- 
ented than he to create the crypto to tackle such problems. So he tried 
to convince others to work on the solution. With little success. “None 
of the people I tried to get interested in the subject did anything,” he 
recalls. 

So Diffie kept working on his main interest, which lay in a mathe- 
matical problem called “proof of correctness.” But he kept research- 
ing what he could on crypto, though at this point his efforts were far 
from methodical. One day at the Cambridge Public Library, Diffie was 
browsing the recent acquisitions and came across The Broken Seal by 
Ladislas Farago, a book about the pre-Pearl Harbor codebreaking 
efforts. He read a bit of it right there, and he certainly thought it worth 
reading further. But he never did. (Worse, he came to confuse this 
book with another book published at that time, David Kahn’s The 
Codebreakers, which delayed his reading of the more important work.) 

Similarly, one day at Mitre, a colleague moving out of his office 
gave Diffie a 1949 paper by Claude Shannon. The legendary father of 
information theory had been teaching at MIT since 1956, but Diffie 
had never met him, a slight, introverted professor who lived a quiet 
family life, pursuing a variety of interests from reading science fiction 
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to listening to jazz. (Presumably, by the time Shannon had reached his 
sixties, he had put aside the unicycle he had once mastered.) 

Shannon’s impact on cryptography was considerable. After receiv- 
ing an MIT doctorate in 1940, he had worked for Bell Telephone 
Laboratories during the war, specializing in secrecy systems. The 
work was classified, of course, but in the late part of the decade the 
two key papers in Shannon’s wartime work found their way into 
the public domain. In 1948, Shannon’s seminal article on information, 
“Mathematical Theory of Communication,” ran in the Bell System 
Technical Journal, and subtly set the stage for the digital epoch. A year 
later, “Communication Theory of Secrecy Systems” appeared in the 
same journal. 

Both efforts were highly technical; those without advanced math 
degrees could barely venture a few paragraphs without being snared in 
a thicket of thorny equations and formulas. But Shannon had a sense 
of clarity that enabled him to send a clear signal through the noise of 
high-level math. In the latter paper, he clearly and concisely examined 
the basic cryptographic relationship from scratch, addressing the “gen- 
eral mathematical structure and properties of secrecy systems.” He 
even provided a diagram of the classic cryptanalytic situation, begin- 
ning with a box representing the original message. This was trans- 
formed by an “encipherer” with access to a “key source.” The message 
would move to the “decipherer,” who’d use the same key source to 
return the message to its original form. But there was another line 
branching out from the cryptogram. It led to the “enemy cryptana- 
lyst,” who might be able to intercept the encrypted message. That third 
party was always to be assumed. The challenge was to make it impos- 
sible for that enemy to crack the cryptogram. 

The concepts of signal and noise loomed large in Shannon’s view of 
cryptology. He saw crypto as a high-stakes zero-sum game between 
secret keeper and foe, where a successful secret was a signal that 
could not be teased out of the apparent noise. In his sixty-page dis- 
cussion of the matter, he masterfully clarified the dilemma of both 
encrypter and enemy. The gift of the Shannon paper was undoubtedly 
one of the most valuable that a prospective cryptographer like Diffie 
could hope for in the late 1960s. Diffie himself would later consider it 
the last worthwhile unclassified paper published for over twenty years. 
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Too bad that Whit Diffie, still pursuing knowledge in a scattershot 
manner, waited several years before actually reading it. 


In 1969, Diffie finally left Mitre. His funding had run out, and now that 
he was approaching the draft cutoff age, he had the freedom to leave. 
He had never really liked Cambridge very much. In high school, Diffie 
had hung out with the left-liberal and even the red diaper set, and led a 
full social life, with folk- singing parties and lots of friendly girls. Though 
similar scenes undoubtedly existed in Cambridge, “I just didn’t find 
them,” Diffie now moans. But at the University of California at Berke- 
ley, where he spent a summer after his freshman year, Diffie found a 
place among the left-leaning protest crowd. “I really believe in the radi- 
cal viewpoint,” he says. “And I have always believed that one’s politics 
and the character of his particular work are inseparable.” 

So Diffie and his girlfriend moved west, and Diffie went to work at 
John McCarthy’s Stanford Artificial Intelligence Lab. Supposedly, he 
would continue working on proof of correctness and other mathe- 
matical problems that applied to computer science. But in conversa- 
tions with McCarthy, Diffie was led into a deeper consideration of 
privacy concerns. A pioneer in time-sharing, McCarthy understood 
that soon computer terminals would find their way into the home. 
Inevitably, he believed, the nature of work itself would change, as the 
electronic office became something that moved out of the cloistered 
world of computer scientists and hackers and deep into the main- 
stream. This would open up not only a thicket of security problems, 
but also a host of novel challenges that almost no one was thinking 
about in 1969: If work products became electronic — produced on 
computer and sent over digital networks — how would people dupli- 
cate the customary forms of authentication (the means to verify that 
the author of a document was actually the person he or she claimed to 
be)? What would be the computerized version of a receipt? How 
could you get a computer -generated equivalent of a signed contract? 
Even if people were given unique “digital signatures” — say, a long, 
randomly generated number bequeathed to a single person — the 
nature of digital media, in which something can be copied in milli- 
seconds, would seem to make such an identifier pointless. If you 
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“signed” such a number to a contract, what would stop someone from 
simply scooping up the signature, making a perfect copy, and affixing 
it to other documents, contracts, and bank checks? If even the possi- 
bility of such unauthorized signed copies existed, the signature would 
be worthless. “I didn’t sign this,” someone could say. “Someone 
copied my signature!” Diffie began to wonder how one could begin to 
fix this apparently inherent flaw in the concept of digital commerce. 

Diffie and McCarthy spent hours in rambling discussions on issues 
like authentication and the problems of distributing electronic keys. But 
Diffie still was more interested in letting others create the solution. In 
the summer of 1972, however, machinations in Washington, D.C., 
indirectly changed his course. 

The government, under the aegis of the Defense Department’s 
Advanced Research Projects Agency (ARPA), had recently begun a 
program to link major research institutions. This was known as the 
ARPAnet, a system that would one day transmogrify into today’s 
Internet. ARPA’s director of information-processing techniques, Larry 
Roberts, realized that such a computer network, the first computer 
net to link multiple sites and handle hundreds if not thousands of 
users, would need a way to keep messages secure, and the obvious 
way of doing that was to devise new crypto solutions. But when 
Roberts approached the NSA, he got a quick brush-off. Ultimately, 
he enlisted the help of Bolt Baranek Newman, the Boston-based com- 
pany that helped set up ARPAnet in the first place. In the meantime, 
he mentioned the problem to his friend John McCarthy, who encour- 
aged people at Stanford to concoct some crypto programs. They 
began working on what Diffie later called “a very complicated system 
combining the effects of several linear congruential random number 
generators.” 

Since Diffie’s girlfriend was on that team, he also was drawn into the 
effort. Naturally, his curiosity led him to study the system closely. As he 
came to understand it, he found himself dissatisfied with its lack of effi- 
ciency. Diffie believed that if cryptography were to be used in a com- 
puter system, it was essential that users not have to suffer performance 
lags. Ideally, encryption should add but a tiny — or imperceptible — 
increment to the time it took to perform a function like copying a file. 
Diffie went over the group’s basic encoding algorithm and eventually 
wrote a routine that ran much faster. In the process — now that he was 
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actually doing some cryptography — he began to spend even more time 
thinking about the larger issue of how to advance the field. Later that 
year he went to Cambridge and saw Roland Silver again; Diffie now 
had much more hands-on expertise to bring to a discussion of crypto, 
and their rich exchange fueled his interest even more. 

By now Diffie had finally gotten around to reading David Kahn’s 
The Codebreakers. Since Diffie was a very slow, methodical reader, 
tackling a book of a thousand densely packed pages was a major 
undertaking for him. “He traveled everywhere with that book in 
hand,” says his friend Harriet Fell. “If you invited him to dinner, he’d 
come with The Codebreakers.” But Diffie found the hundreds of hours 
he spent on the book to be well worth the trouble. 

Indeed, The Codebreakers was a landmark work — and one that the 
government had not wanted to see published. Kahn was a Newsday 
reporter who, as a twelve-year-old, had been thrilled, like Diffie and 
countless other boys, with his first exposure to the mysteries of secret 
writing. That moment first came on a visit to the local Great Neck 
(Long Island, New York) library, where the cover to a potboiler his- 
tory called Secret and Urgent, by Fletcher Pratt, was on display. “This 
was about 1942 or ’43,” recalls Kahn. “That dust jacket was terrific; 
it had letters and numbers swirling out of the cosmos. I was hooked.” 
The hook sank deeper when he actually read the book and learned 
about how ciphers worked. The youngster joined what was then 
probably the most sophisticated cryptography organization outside the 
government, the American Cryptogram Association. Which wasn’t 
saying much. “It was a bunch of amateurs,” he says. “They solved 
cryptograms as puzzles, and used a little publication with articles 
on how to solve them.” Many of the members were elderly, or at least 
had time on their hands. There was even an offshoot called the Bed- 
warmers. “These were people with polio, or were in some sort of 
clinic, or were paralyzed,” says Kahn. “They couldn’t move around 
very well so they solved puzzles.” Such was the scope of crypto work 
outside the government. 

Unlike Diffie, however, Kahn loved to solve the puzzles himself, 
and kept his interest into adulthood. He discussed some sophisticated 
schemes with some fellow Cryptogram Association members. “Other- 
wise, you were totally isolated,” he says. “This was an unknown field; 
nobody knew anything about it.” But he didn’t detect a more general 
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interest in cryptography until 1961, when two NSA cryptographers 
defected to the USSR and held a press conference about their experi- 
ence. This was revelatory to Kahn; despite diligently monitoring all the 
public literature about cryptography, he had hardly known that the 
NSA existed! Still, since he knew something about crypto, he dared to 
ask editors at the New York Times Magazine if they would like a back- 
grounder on the subject. They did, and he produced it. 

The day after the story’s publication, Kahn received three book 
contract offers. He turned them down since they were from paperback 
publishers and he wanted his work between boards. He got his wish a 
week later when an editor named Peter Ritner asked him to do a hard- 
cover for Macmillan. Kahn wrote up an outline for a general book 
about codes, and received a $2000 advance. But as he began working 
on the introductory section, his research efforts kept kicking up more 
and more interesting stories from disparate sources. By the time he 
reached page 250 of his “preliminary chapter” — he had barely gotten 
to the Renaissance — he realized that he was really writing the com- 
prehensive history of cryptology. 

Two years into the project, Kahn quit his job to focus his efforts full 
time on the book. He lived off his savings, bunking at his parents’ 
house and eating meals cooked by his grandmother. He wrote hun- 
dreds of letters, spent days in the New York Public Library, and, most 
important, connected with people who had never previously told their 
stories. A high-ranking Department of Defense official allowed him 
access to two important World War II codebreakers — an astonishing 
event given how Cold War politics decreed that revealing any infor- 
mation of this sort was virtually treason — if he agreed to submit his 
notes from the interviews to the government. “I guess the [Defense 
official] didn’t know what he was getting into,” reasons Kahn, “and 
when the notes got submitted to the NSA, the government panicked, 
and said I had to [disregard the information], I respectfully declined.” 

Kahn also constructed, with the help of an important confiden- 
tial source, the first public account of the extent of the NSA’s power, 
constructing it from the bits and pieces that had dribbled out over 
the years. But the most explosive details of Kahn’s book lay in its 
methodical explanation of how cryptography works, and how the NSA 
used it. When The Codebreakers was finished in 1965, it contained the 
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most complete description of the operations of Fort Meade that had 
ever been compiled without an eyes-only stamp on each page. 

Quite correctly, officials at the National Security Agency had come 
to view Kahn’s book as a literary hand grenade, with the potential for 
serious damage to the government’s carefully maintained ramparts of 
secrecy. In his NSA expose The Puzzle Palace, author James Bamford 
wrote that “innumerable hours of meetings and discussions, involving 
the highest levels of the agency, including the director, were spent in 
an attempt to sandbag the book.” Countermeasures considered behind 
the Triple Fence ranged from outright purchase of the copyright to a 
break-in at Kahn’s home. Kahn, who had moved to Paris to work for 
the Herald Tribune, was placed on the NSA’s “watch list,” enabling 
eavesdroppers to read his mail and monitor his conversations. 

To Kahn’s dismay, in March 1966 his editor sent the manuscript off 
to the Pentagon for its scrutiny and comments. Of course, it was then 
shipped to Fort Meade. The Defense Department wrote Macmillan’s 
chairman that publishing The Codebreakers “would not be in the 
national interest.” But Macmillan didn’t bend, less because of back- 
bone, Kahn guesses, than the fact that by that point in the production 
process “they had too much money put into it.” 

So the NSA took an extraordinary step. In July 1966, its director, 
Lt. Gen. Marshall S. Carter — a man so secretive that his name never 
appeared in newspapers — flew to New York City and met with the 
chairman of the publishing company, its legal counsel, and Kahn’s edi- 
tor, Peter Ritner. After attacking Kahn’s reputation and expertise, 
Carter finally made a personal appeal for three specific deletions. A few 
days later, Ritner presented Kahn with the request. The actual deletions 
struck Kahn as surprisingly inconsequential. “It didn’t really hurt the 
book, so I took the three things out,” Kahn says. “But I insisted that 
we put in a statement to the effect that the book had been submitted 
to the Department of Defense. In the end that had a good effect, 
because right-wing reviewers could otherwise have said the book was 
destroying the republic. Now they couldn’t.” 

While The Codebreakers never made the New York Times bestseller 
list, it became a steady seller, going through dozens of printings. And 
it did not, as the NSA had hysterically predicted, bring an abrupt close 
to the American century. It did, however, enlighten a new generation 


24 | crypto 

of cryptographers who would dare to work outside of the govern- 
ment’s wall of secrecy. And its prime student was Whitfield Diffie. 

“I read it more carefully than anyone had ever read it. . . . Kahn’s 
book to me is like the Vedas,” he explains, citing the centuries-old 
Indian text. “There’s an expression I learned: ‘If a man loses his cow, 
he looks for it in the Vedas.’ ” 

By the time Whitfield Diffie finished The Codebreakers, he was no 
longer depending on others to tackle the great problems of cryptogra- 
phy. He was personally, passionately engaged in them himself. They 
consumed his waking dreams. They were now his obsession. 

Why had Diffie’s once- intermittent interest become such a con- 
suming passion? Behind every great cryptographer, it seems, there is 
a driving pathology. Though Diffie’s quest was basically an intellectual 
challenge, he had come to take it very personally. Beneath his casual 
attire and streaming blond hair, Diffie was a proud and determined 
man. He had an unusual drive for getting at what he considered the 
bedrock truth of any issue. This led to a fascination with protecting 
and uncovering secrets, especially important secrets that were desper- 
ately held. “Ostensibly, my reason for getting interested in this was its 
importance to personal privacy,” he now says. “But I was also fasci- 
nated with investigating this business that people wouldn’t tell you 
about. It was as if solving this conundrum would provide a more gen- 
eral meaning to the world at large. “I guess in a very real sense I’m a 
Gnostic, he says. “I had been looking all my life for some great mys- 
tery I think somewhere deep in my mind is the notion that if I 

could learn just the right thing, I would be saved.” 

And then, Diffie’s quest to discover truths in cryptography became 
intertwined with another sort of romance: his courtship of Mary 
Fischer. 


It had not been Whit Diffie’s original intention to fall in love with a 
Jewish Brooklyn-born animal trainer who was already married. Up to 
the day when she upbraided him on the phone for ignoring her, he had 
in fact hardly thought of her. But her outburst struck a nerve, perhaps 
more so because his own longtime relationship was on the wane. 
When he bid goodbye to Mary on his way across the country, and told 
her he’d see her in a year, he meant it. With about $12,000 he had 
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saved from his salary at Mitre and an intention to live “low on the 
hog,” as he later put it, he was out to learn all he could about crypto — 
and maybe do something about it. That seemed like a solitary mission. 

But in August 1973, when he stopped by Fischer’s New Jersey 
house for a visit, he found that her marriage was falling apart and that 
she was finding relief by going to charismatic prayer meetings. It was 
not the type of thing she felt comfortable talking about to mathemati- 
cal types like Diffie, but when she came out with it, his reaction took 
her aback. “You know, Mary,” he said, “I’ve always had a soft spot for 
mystics.” They began to spend time together. Fischer didn’t drive, and 
Diffie fell into the habit of escorting her to zoos — especially to locate 
a King cobra — and then on longer trips to view architecturally inter- 
esting churches. At one point, on a Massachusetts road, Diffie impul- 
sively pulled the car over and very quietly told Mary he loved her. She 
said she loved him back. And that was that. Though it was painful for 
Fischer to acknowledge the end of her marriage, Diffie hastened the 
process by daring her to join him on a sojourn to Florida to watch a 
launch of the Skylab mission. They drove straight through and arrived 
at Cape Canaveral at three in the morning. Some hours later, they 
watched together as the big rocket blew fire on its jump toward the 
cosmos. 

From that point, Mary Fischer was Diffie’ s companion, and even- 
tually his wife, as he drove thousands of miles in his search for an 
answer to the riddle of cryptography. They would pass the hours talk- 
ing, or, more often, singing popular tunes. The National Security 
Agency had no clue that the man who was about to make life infinitely 
more difficult for them was spending endless hours in a Datsun 510, 
crooning “Sweet Caroline” with his new girlfriend. Though Fischer 
had little understanding of the technologies and mathematics that 
drove Diffie, she became his partner in the quest. His cryptographic 
muse. 

“I was terrified all the time because I’d abandoned everything that 
was familiar to me,” she recalls of those days. “Every now and then 
he’d stop off at a library, or see somebody, and it was really cloak and 
dagger — people who didn’t want to talk to him, people who put their 
coats over their faces, people who wanted to know how the hell he’d 
found out their names, people who had secrets, clearly, and were not 
about to share them. And Whit was trying to ferret those secrets out. 
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It was a perpetual kind of voyage of discovery because he kept check- 
ing out these people. And sometimes he’d say, ‘I want you to stand 
here to listen. I don’t want anybody to see you but I just want you to 
listen.’ So I went on some of these encounters. But basically I didn’t 
have a clue what he was up to.” 

Sometimes Diffie would try to explain his motivations to her. The 
computer age, he told Mary, held terrible implications for privacy. As 
these machines become ascendant, and we use them for everyday 
communication, he warned, we may never experience privacy as we 
know it today. His apocalyptic tone unsettled Mary, but she wanted to 
hear more. 

Eventually, Mary understood how Diffie’s mission mixed the politi- 
cal with the personal. Devising a way to wedge open the NSA’s grip on 
crypto would satisfy not only Diffie’s sixties-style rebelliousness, but 
also what would later be identified as a strongly libertarian ethic in 
him. “Whit wants to uncover secrets,” she says. “Anything that’s 
secret is something that Whit has to know. When we first got together 
I couldn’t believe it. He was doing things like going through my 
garbage bags. He didn’t trust anything. He feels as though what ordi- 
nary people take for granted is just too simple and there must be 
more under the surface there. And he builds up terrible complications 
that way.” 

Of course, the most significant complication was his seemingly 
quixotic mission to discover something under the nose of the National 
Security Agency. He wondered whether he was putting himself at risk, 
and indeed, because of this, “my attitude was to keep my head down 
for the first couple of years,” he says. Ultimately, though, the length of 
the odds stacked against him only made the quest more attractive to 
Diffie. 

One thing Diffie did trust during this period was the Datsun 5 1 0 
automobile. He kept buying and rebuilding them, even though the evi- 
dence indicates that the cars were far from immortal. “I was stub- 
born,” he explains, adding that “most of what I do is characterized by 
the fact that I’m stubborn.” Mary Fischer puts it differently. “When 
Whit decides he wants something, he’ll research it thoroughly, fix on 
the best idea of its kind, and from then on he is married to that thing.” 
His Datsun broke down in Nebraska, whereupon Diffie rented a truck 
and transported the car to the West Coast. He then purchased a sec- 
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ond 510, a black junker with about 100,000 miles on it. “It had a fine 
set of insides in it,” Diffie recalls fondly. This took him and Mary on 
their second continental crossing. The car took sick in La Mesilla, 
New Mexico, emitting an ominous chink-chink-chink sound, but it 
got Whit and Mary back to California, only to go dead in a Redwood 
City parking space two days later. Diffie then purchased more Dat- 
suns, initiating an elaborate process of vehicular organ transplants. “At 
one point we had five Datsuns,” recalls Mary Fischer. “Whit would 
work on them himself; he didn’t trust mechanics. He is not an utterly 
trusting soul.” 

What did Diffie encounter during his cross-country journeys? 
Many people who refused him. But a few helped, providing him with 
hints of contemporary crypto techniques, or even unpublished works. 
Among those helpers was Diffie’s personal Mao, David Kahn, who 
invited Diffie for pizza at his Long Island home after Diffie had 
cold-called to introduce himself. Though taken aback by Diffie’s 
appearance — an abundance of hair and ultracasual attire — The Code- 
breakers’ author was impressed with his knowledge. He agreed to pro- 
vide Diffie with some crypto documents from his research. 

One important cache of papers dealt with William Friedman, the 
acknowledged godfather of the government’s cryptographic efforts. A 
naturalized American born in Russia late in the nineteenth century, 
Friedman had become interested in cryptography while researching 
the possibility that Francis Bacon was the true author of Shakespeare’s 
plays. (Many years later Friedman and his wife Elizabeth would 
authoritatively debunk this notion in their book, The Shakespearean 
Ciphers Examined.) During World War I, Friedman became involved 
in the U.S. government’s codebreaking efforts and developed a series 
of courses to train prospective cryptanalysts. Within the closed com- 
munity, his works became classics, particularly those on his use of sta- 
tistics to crack codes. Friedman’s World War II work was instrumental 
in breaking the Japanese cipher PURPLE, and he was an important 
figure in the early NSA, remaining active as a consultant long after his 
retirement in 1955. Throughout, virtually all his critical work was top- 
secret, so when Kahn offered Diffie a look at some rare, recently 
declassified materials, Diffie treated them like the original copies of 
the Constitution. Instead of handing the bound books over to atten- 
dants at a photocopying center, he lovingly photographed each page 
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with a 35mm camera. This meticulousness proved prescient, as the 
NSA hadn’t yet realized that copies of these papers had slipped under- 
neath the Triple Fence; when it did, the agency would attempt to 
retroactively classify the material, thus making criminals of those who 
did not immediately turn them over to the proper authorities. 

In the summer of 1974, Diffie heard that Jim Reeds, a Harvard 
doctoral student in statistics he had met a year earlier, was leading a 
seminar in cryptography there. Diffie headed back to Cambridge and 
sat in. Also attending was Bill Mann, a friend who was working on the 
ARPA security plan. At one point Diffie was trying to explain to Mann 
the meaning of something called a one-way function. This was a 
mathematical oddity that he had come across and couldn’t stop think- 
ing about. A true one-way function is something that can be calcu- 
lated easily in one direction but not easily reversed — a mathematical 
Humpty-Dumpty. One cryptographer would later explain that when 
you broke a dinner plate, you were using a one-way function: “It is 
easy to smash a dinner plate,” he wrote. “However, it’s not easy to put 
all of those tiny pieces back together again into a plate.” 

Diffie was increasingly convinced that one-way functions could fig- 
ure into a new kind of cryptographic approach, but he wasn’t sure 
how. He couldn’t even explain what it was clearly enough for Mann to 
understand it. But Mann misunderstood it rather creatively. He came 
away with the impression that a one-way function was something that 
not only could be quickly computed in one direction but could be cal- 
culated in reverse as well — if you had the proper information. Using 
the plate analogy, Mann said it was as if the guy who broke the plate 
had some magic way to un -break it, like a film running backward 
showing those tiny shards of broken china fusing back into a pristine 
dinner plate. As he laid out his conception to Diffie, Mann was envi- 
sioning what one day would be called a “trapdoor one-way function.” 
It would prove to be a prescient misunderstanding. 

Also in Cambridge, Diffie talked about crypto with Richard Schroep- 
pel. He was a former MIT hacker who had a reputation as a math 
wizard. Schroeppel had been thinking about the idea of electronic com- 
merce, and was beginning to grapple with the same sorts of problems 
that Diffie and McCarthy had discussed: What if Company A wanted 
to place an electronic order with some Company B and no preexisting 
relationship existed? How could they secure their communications? 
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Schroeppel was impressed that Diffie had done a lot of thinking 
about such problems. And he certainly respected Diffie, who had done 
great, though unheralded, work at MIT’s AI lab, building Macsyma. 
Schroeppel also knew that Diffie had written the complicated routines 
to handle large numbers in the Stanford version of the computer lan- 
guage LISP. “To my mind, writing a set of big number routines crosses 
you over a threshold,” says Schroeppel. “It’s like passing the Bar 
[exam]; it means you really know how to use a computer and you 
really know how to do arithmetic.” 

Over lunch one day Diffie floated the idea that perhaps there was a 
way to get around the electronic commerce problem. What about a 
one-way function, he suggested — a reversible one-way function, like 
the one Bill Mann had unwittingly suggested? Could that possibly be 
part of a solution? They talked about it for a while, but Schroeppel 
was skeptical. “Actually, you probably can’t find any of those func- 
tions,” he warned Diffie. “They probably don’t exist.” 

Undaunted, Diffie kept on, desperate for someone who could 
provide him with more clues. He and Fischer went to see a friend in 
Cambridge who mentioned a fellow named Alan Tritter. Tritter sup- 
posedly had done work in cryptography. He now worked for IBM. So 
during that same summer of 1974, Diffie tracked him down at the 
major center of cryptographic activity outside the government, IBM’s 
T. J. Watson Labs, in Westchester County, New York. 

Even in a field littered with brilliant oddballs, Tritter stood out. Due 
to a rare disease that generated a massive volume of body fat, he 
weighed what friends estimated as a minimum of 400 pounds. Rumor 
had it that his grandfather had been a wealthy man who had left Trit- 
ter only enough money to attend school. Though some regarded him 
as a mathematical genius, others felt that his reputation was unearned. 
“Immediately after he was hired, it was regretted, but IBM wouldn’t 
admit its error,” complained one former IBM colleague. “I don’t really 
think he did anything there.” On the other hand, Tritter was ahead of 
his time by acquiring an early mastery of telephone hacking. He would 
die young. 

Diffie was immediately gratified to learn that Tritter was knowl- 
edgeable about Identification Friend or Foe (IFF) devices. Reading 
Kahn’s book, Diffie had been intrigued by its mention of these sys- 
tems, which are communications devices that essentially quiz each 
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other to authenticate one’s identity. As Tritter explained it to Diffie, an 
IFF device works by issuing a cryptographic “challenge,” one that 
can be successfully met only by use of secret information to precisely 
solve the problem. The canonical IFF situation is a fighter plane 
encountering another airborne craft during a period of hostilities. 
If the intruder is a foe, it must be shot down, but it’s obviously un- 
wise to fire before determining if the target might be an ally. The 
IFF process is an electronic equivalent to a sentry’s question to an 
approaching foot soldier: “What’s the password?” Of course, IFF sys- 
tems relied on more complicated protocols than passwords. Since 
such communications were generally conducted by radio, it was as- 
sumed that enemies could listen in, and if a general password were 
issued to the forces of one side, a foe could easily discover the magic 
utterance that would enable its own planes to pose as friends. 

It turned out that one of Tritter’s colleagues at IBM, a German- 
born scientist named Horst Feistel, had performed crucial work in the 
field. (Unfortunately, Feistel had left for a Cape Cod weekend, and 
Diffie could not meet him then.) Tritter explained to Diffie how Feis- 
tel s IFF system got around the eavesdropping problem: when con- 
fronting an as-yet-unidentified aircraft, an American plane could send 
a radio signal containing a challenge randomly selected from a large 
number of possible alternatives. Other U.S. planes would be supplied 
with the means to encrypt that signal in the correct manner and send 
that scrambled response back to the questioner. The questioner would 
validate the response by decrypting it. If this process yielded the origi- 
nal signal, the second craft was definitely a fellow American. If enemy 
planes were listening in, it would do them no good simply to copy the 
friendly response and use it as a response to a later challenge, because 
in any subsequent encounter, the American planes would choose a dif- 
ferent signal, one that would be transformed to a different encrypted 
transmission. 

Tritter’s information was exciting to Diffie. By that explanation, IFFs 
worked in somewhat the same way that a one-way function might. He 
hoped for similarly helpful clues when he wangled an audience with the 
head of the mathematical group at IBM, Alan Konheim. He didn’t 
get any. “He was very secretive,” complains Diffie. Konheim, now a 
professor at the University of California at Santa Barbara, was one of 
those mathematicians who had taken several NSA-sponsored courses 
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and had signed the fatal document that bound them to submit their 
future cryptographic works to the agency. “You sign it once and it’s 
forever,” he later explained. 

There was no way that Konheim was going to give any crucial 
information to the stranger who sat in his office along the curved-glass 
walls of the Watson research building. However, Diffie says that Kon- 
heim did give him one critical piece of information. “He only told me 
one thing, and since then, he’s wished he’d never said that,” crows 
Diffie. That datum was not a cryptographic tip but a referral, the name 
of someone who had been asking the same kinds of questions as Diffie 
had, a guy who had briefly worked at the lab and was now an assistant 
professor at Stanford. His name was Martin Heilman. Maybe, Kon- 
heim suggested, two people can work on a problem better than one. 

When Diffie and Mary next drove whichever Datsun 510 was run- 
ning at that time to the West Coast for a stint of house -sitting for John 
McCarthy, one of the first things that Diffie did was phone this young 
professor of electrical engineering. “I arranged a half-hour meeting at 
my office at Stanford,” Marty Heilman now recalls, “figuring it’s just 
not going to go anywhere, but what the heck.” Thus was made the 
match that, in the world of crypto, would later attain the resonance of 
famous pairings elsewhere: Woodward-Bernstein. Lennon-McCartney. 
Watson-Crick. 

Diffie-Hellman. 


Though he lived in California, Marty Heilman was pure Big Apple: 
pugilistic, in-your-face New York City. With his dark hair, beard, and 
intense stare, he resembled a Semitic version of Martin Scorsese. Born 
in 1945, he grew up Jewish in a tough Catholic neighborhood and 
learned to take an outsider’s view. He also took refuge in science. His 
father and uncle both taught physics in the public schools. Young 
Heilman had always been turned on by explorers and new frontiers, 
whether it was Magellan charting the New World or Einstein on 
redefining the way we understand the universe. He was accepted into 
the Bronx High School of Science; his avocation was ham radio. 
“That probably pulled me into electrical engineering,” he said. “It’s 
a very broad area; you can move from theoretical physics through 
solid-state physics and math.” He got his doctorate from Stanford in 
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1969, and his first job was at IBM research in Yorktown Heights, New 
York. 

Not long after he was hired, Heilman gave a paper at an informa- 
tion theory symposium held at the Neville hotel and resort, the head- 
quarters of the Catskills’ Borscht Belt. The banquet speaker was David 
Kahn. Heilman had always believed that there was something kind of 
sexy about cryptography, but Kahn’s appearance got him thinking 
about it as a serious scientific pursuit, and those thoughts got stronger 
when he discovered that his new employer was already working in 
that field. Surely commercial applications existed, he figured. Though 
Heilman didn’t work directly with Horst Feistel, the German-born 
cryptographer worked nearby in the building, and sometimes the two 
of them would sit together at lunch, where the older man would 
describe some of the classical cryptosystems and some of the means of 
breaking them. 

Heilman left IBM in 1970, accepting a post as assistant professor 
at MIT. At that time Peter Elias, who had worked closely with Claude 
Shannon, was just stepping down as the head of the electronic engi- 
neering department. Elias’s talks with Heilman drew the young aca- 
demic deeper into crypto, and for the first time he began thinking 
about making it the focus of his research. “Partially, it was the magi- 
cian aspect, being able to impress people with magic tricks,” he now 
explains. “Also, the potential to make a real impact, and advance my 
career by doing it.” 

He resisted the temptation to do what the vast majority of scientists 
and academics in his field had already done: work within NSA stric- 
tures. “From the very beginning, once someone heard I had an inter- 
est in cryptography, the people from NSA would come at me,” he says. 
Heilman would profess interest in hearing what they knew, but only if 
he would remain free to publish his own findings. The officials would 
warn him he was wasting his time, and that by depriving himself of the 
research performed at The Fort, he’d never come up with anything 
worthwhile. But Heilman, brimming with chutzpah in those days, said, 
in effect, To hell with you, I’m doing it anyway! He figured that even 
if he wound up rediscovering something that was already in the clas- 
sified literature, his feat would not be redundant, because his findings 
could be exploited for commercial use. “It was hard,” he says. “But it 
was also doing something exciting that no one else was doing.” 
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Enter Whit Diffie. 

“It was a meeting of the minds,” says Heilman. It came at a propi- 
tious time: though Heilman had recently published his first paper in 
the field of cryptography — a gloss on Shannon’s work — he’d been 
stuck for a follow-up, and longed for a kindred ear. “I’d been work- 
ing in a vacuum,” he says, “and was feeling, ‘Is this really worth it?’ 

I was really getting concerned about whether this was going to lead 
anywhere.” 

Showing up wearing what Heilman called “the AI uniform” — black 
chinos, white socks, white shirt, and tennis shoes — Diffie was un- 
doubtedly quirky. But he knew his stuff. He knew volumes. Only 
someone like Heilman, who had banged his own head against the ram- 
parts of crypto secrecy, could appreciate how well spent were Diffie’s 
months and years traveling, talking to anyone he could find, burrow- 
ing in libraries for forgotten books like Luigi Sacco’s 1938 treatise on 
cryptography, and poring over obscure texts like the Friedman papers 
that NSA had later tried to reclassify. “He’d dug up everything I had 
never seen or had the energy to dig up,” says Heilman. Finally, some- 
one with whom he could toss ideas back and forth; it was like an ele- 
gant game of hard catch between two professional ballplayers. 

The half-hour meeting went on for an hour, two hours, longer. 
Heilman simply didn’t want it to end, and Diffie, too, seemed eager to 
continue for as long as possible. Heilman had promised his wife he’d 
be home by late afternoon to watch their two small children while she 
went off, so finally he asked Diffie back to his house. No problem! 
Diffie called Mary and she came over to have dinner with Whit and all 
the Heilmans, and it wasn’t until 1 1 :00 or so that night that the dia- 
logue broke up. 

Not surprisingly, the two decided to continue the conversation. “It 
was very nebulous,” says Heilman. “He had some great ideas, I had 
some great ideas, and there was some overlap. We just loved talking to 
each other. It wasn’t that we had a goal of doing this or a goal of doing 
that — we just wanted to go further down the path we had each gone 
down, without finding someone at the end of the path telling us what 
everybody else was telling us: that we were wasting our time.” 

Both Diffie and Heilman firmly believed that the advent of digi- 
tal communications made commercial cryptography absolutely essen- 
tial. All of these huge computer and telephone networks made life 
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incredibly easy for eavesdroppers — it was going to be possible to fully 
automate spying. At least with radio broadcasts, snoopers had to 
monitor numerous points in the channel band; with a network, it was 
as if everyone were broadcasting on the same channel. A spy agency 
like the NSA could — and would — simply turn on the Hoover and 
inhale gigabytes of data. “Ninety-nine percent of what they suck up 
gets blasted out as hot air,” says Heilman. “But by combing the data 
for key words, key phrases, key names and addresses, one percent gets 
caught in the bag as dirt.” 

The antidote for this would amount to, in essence, a cryptographic 
revolution, which would allow ordinary people to encrypt the stuff 
they sent over the network. The big problem, as Diffie had discussed 
with McCarthy and Schroeppel, was scaling crypto for more users, 
and making it easier to use. Something had to replace, or at least aug- 
ment, the old-style, classical form of symmetrical- key crypto (where 
the same key that scrambles the messages can unscramble it, too), 
because it was totally unfit for the massive numbers of private conver- 
sations and digital transactions that people would require. The prob- 
lem was that in order to have those private conversations, both parties 
had to arrange in advance what the key would be, and then somehow 
use that key without exposing it to eavesdroppers or intruders. This 
was a fairly straightforward act for a military organization, but an 
absolute nightmare in a bustling marketplace. What were you going to 
do — send millions of bonded couriers out into the streets to person- 
ally hand someone a new key every time he wanted to start up a phone 
conversation or file a purchase order? The only feasible approach 
seemed to be an infrastructure of key distribution centers that would 
generate a key every time two people requested one for a private con- 
versation. But Heilman shared Diffie’s deep-seated suspicion of such 
a centralized system. 

“I knew he’d be around for a couple of months, but I also had the 
feeling that he might pick up and leave, and I was really anxious to see 
him stay here,” says Heilman. So Heilman called his grant monitor in 
the National Science Foundation (NSF) and wheedled some more 
funds to spend working on cryptography. There was enough to hire 
Whit Diffie as a part-time researcher. “It might have been for ten to 
twenty hours a week, or about a quarter to a half of what a working 
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person would normally make,” says Heilman, who also suggested that 
while they were at it, why not have Diffie enroll as a graduate student 
and get a doctorate in the process? 

That part of the arrangement didn’t work out. “Whit is a truly free 
spirit,” was Heilman’s postmortem. “When he’s interested in some- 
thing for himself and no one’s making him do it, he will spend unbe- 
lievable hours a day, get by with little sleep. But [not] when he has 
homework assignments and the structure.” Ultimately, Diffie dropped 
out of the graduate program when the administrators noticed that he 
hadn’t taken the requisite physical examination. “I didn’t feel like 
doing it; I didn’t get around to it,” says Diffie. Though he finessed the 
matter for some months, ultimately, when the Stanford bureaucrats 
refused to register him without proof he had taken the physical, Diffie 
told them to go to hell. 

“I used to think of it as a handicap on Whit’s part,” says Marty 
Heilman, “but maybe he was just mature at an earlier age, think- 
ing, Damned-if-I’ll-follow-some-of-your-stupid-rules. Because some 
of them are stupid.” 

Ultimately, it was only by questioning the conventional rules of 
cryptography and finding some of them “stupid” that Diffie made his 
breakthroughs. A case in point: the belief that the workings of a secure 
cryptosystem had to be treated with utmost secrecy. That might have 
held true for military organizations, but in the computer age, that 
didn’t make sense. There would be unlimited users who needed a sys- 
tem for privacy; obviously, such a system would have to be distributed 
so widely that potential crackers would have no trouble getting their 
hands on it and would have plenty of opportunity to practice attack- 
ing it. Instead, the secrecy had to rest somewhere else in the system. 
Maybe those one-way functions that obsessed Diffie could be involved 
in such a system. 

In the months that followed, they became close colleagues and 
friends. Mary and Whit often hung out at the Heilmans’. Marty’s wife 
Dorothy was an enthusiast of purebred dogs — obviously something 
Mary was interested in — and Mary got one of Heilman s daughters 
interested in playing the harp. Whit and Marty would usually be off in 
a corner, talking cryptography. 

Between Whit and Mary there was now an understanding that the 
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traveling was over. They began their Palo Alto house-sitting stint for 
John McCarthy, watching his teenage daughter Sarah while the AI 
pioneer was on a Japanese sabbatical. Meanwhile, they started looking 
for a place of their own in Berkeley. Mary took a job with British 
Petroleum in San Francisco. Whit had the house to himself all day, 
and he would clean and cook. Mainly, he would work with Marty, hop- 
ing against hope that his years of didactic study would bear fruit and 
he would make a contribution, however slender, to the maddingly 
secretive field of cryptography. 

His years of obsession had not decreased his passion for the subject. 
Nor had his deep affection for Mary Fischer — his other romance — 
distracted him. On the contrary, their relationship had only intensified 
his hunger for privacy, and the quest for a technology to provide it. 
His epic quest had begun from a lack of trust in computer systems and 
their keepers. Now it was about maintaining a valuable personal con- 
nection, too. “When he felt he’d finally found a trustworthy person,” 
as Mary Fischer later explained, “the question became, ‘How do you 
deal with a trustworthy person in the midst of a world full of untrust- 
worthy people?’ ” 


the standard 


0 n March 17, 1975, a dry government document produced a shock 
wave that just about tore the plaster off the walls of Martin Heilman’s 
little cipher operation at Stanford University. It was a Federal Register 
posting from the National Bureau of Standards (NBS), ostensibly one 
of countless protocols proposed by that agency that, if adopted, would 
become the officially endorsed means of doing things for the federal 
government. By extension, it would become the no-brainer choice for 
private industry and just plain folks as well. This proposal involved 
something seldom ventured in the public literature: a brand-new 
encryption algorithm. And a strong one to boot. It was to be called the 
Data Encryption Standard, or DES. 

The Stanford team had known that the unprecedented move was in 
the offing — the NBS had been issuing requests for such a standard — 
and Heilman knew that his old and trusted colleagues at IBM had been 
cooking up a system designed to satisfy the government’s criteria. So 
at first they welcomed the announcement. “This was big news, recalls 
Heilman. “We were happy to see a standard. We thought it was a won- 
derful thing.” 

Then they began to actually examine the DES system — and learned 
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that the National Security Agency apparently had a hand in its de- 
velopment. And their enthusiasm turned to dismay. Right away, it 
was glaringly obvious that the flaw in the DES was the size of the 
encryption key, a metric that directly determines the strength of a 
cryptographic system. It was 56 bits long. That’s a binary number of 
56 places. You could envision this as a string of 56 switches, each 
of which could be on or off. Though 2 to the 56th power was a hell of 
a big number in most circumstances — it meant that there were 2 56 
possible keys, or about 70 quadrillion — Heilman and Diffie believed 
that it was too small for high-grade encryption. Sophisticated com- 
puters, they insisted, could eventually work hard enough to find solu- 
tions to such encrypted messages by “exhaustive search”: trying out 
billions of key combinations at lightning speed until the proper key 
was discovered and the message suddenly resolved itself into the 
orderly realm of plaintext. This would be a classic “brute-force” 
attack. “A large key is not a guarantee of security,” says Heilman, “but 
a small key is a guarantee of insecurity.” 

Diffie wrote as much in an otherwise respectful initial analysis of the 
standard, submitted in May 1975 as part of the NBS’s public comment 
process. “The key size is at best barely adequate. Even today, hardware 
capable of defeating the system by exhaustive search would strain but 
probably not exceed the budget of a large intelligence organization.” 
He postulated that a free-spending agency could feasibly build a cus- 
tomized machine that would crack such a key within a day. “Although 
cryptanalysis by exhaustive search is far from cheap, it is also far from 
impossible,” he wrote, “and even a small improvement in cryptanalytic 
technique could dramatically improve the cost performance picture. 
We suggest doubling the size of the key space to preclude searching.” 

Naively, the Stanford duo believed that such advice might be heeded 
by the United States government: Well, damn, you guys are right! Let’s 
double that silly key size! Instead, the government’s response was suf- 
ficiently evasive for Heilman to suspect that a smoke screen lay behind 
the NBS’s actions. In subsequent months, in fact, Heilman would 
publicly begin to question whether the DES algorithm might have 
been a daring ruse on the government’s part to lull citizens and 
perhaps even foreign foes into an illusion that they were protecting 
information — while that supposedly secure data was easily accessible 
to the NSA. At his most paranoid, Heilman wondered whether the 
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DES had a “back door” implanted in it by Fort Meade’s clever cryp- 
tographers. While there was no direct proof of that, there was reason 
for suspicion. If everything was on the up-and-up, Heilman wanted to 
know, why was it that the design principles of the algorithm, as well 
as its inner workings, were being treated as government secrets? If the 
government had nothing to hide, why were they hiding something? 

Diffie and Heilman were only the first to question the murky ori- 
gins of the Data Encryption Standard. The debate would continue 
even as the DES became a kind of gold standard for strong commer- 
cial cryptography — and an object of continued suspicion among the 
outsiders of the crypto and civil liberties world. Only with the passage 
of time would it become clear that the development and certification 
of DES was in a sense an inspiring story of its own, one that had ele- 
ments in common with the quest of Diffie and Heilman themselves. 


The story began with one of IBM’s most enigmatic researchers, Horst 
Feistel. He was the German-born cryptographer who had done the 
work on Identification Friend or Foe protocols that Whit Diffie had 
learned from Alan Tritter. Feistel had been working at IBM’s research 
division in Yorktown Heights since the late sixties. It was one of the 
few jobs in the private sector that involved work in cryptographic 
research. 

In fact, some of his colleagues suspected that Feistel had been in the 
NSA’s employ and was somehow still hooked up with it, even while 
working for IBM. In any case, his biography is somewhat sketchy. 
Born in 1914, he had left Germany as a young man. His aunt had 
married a Swiss few living in Zurich, and on the concocted pretext of 
tending to his aunt’s illness, Feistel joined them just before the Third 
Reich began a military conscription that would have prevented his 
escape. After studying in Zurich, Feistel came to the United States in 
1934. He was about to become a naturalized citizen when America 
was thrust into World War II. Feistel was put under what he once 
described as “house arrest,” his movements restricted to the Boston 
area where he was living. But in January 1944, Feistel’s circumstances 
changed abruptly. He was not only granted citizenship but also given 
a security clearance and a job at a highly sensitive facility: the Air 
Force Cambridge Research Center. 
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What he did there is unclear. Codes had fascinated him since his 
boyhood, but in the early 1990s he told Whit Diffie that while crypto 
work was indeed his desire, he was informed that this was not suitable 
wartime work for a German-born engineer. On the other hand, in a 
1976 interview with David Kahn, Feistel said that during the war he 
had worked on Identification of Friend or Foe systems — not cryptog- 
raphy per se at that time, but close. 

There are other contradictions in Feistel’s various accounts of his 
activities. He told Diffie that before he was granted U.S. citizenship, 
he had to report to authorities every time he left Boston to visit his 
mother in New York. But he once told a coworker that his mother 
didn’t emigrate until the Cold War began. The U.S. had spirited her 
out of East Berlin, he reportedly said, just in case the Soviets discov- 
ered that Feistel was doing crypto and decided to pressure her. 

There was no doubt, however, that after the war, Feistel began to 
specialize in IFF. He headed a crypto group at the Cambridge Research 
Center, and part of his job was testing an advanced IFF system that 
depended on an amazing new invention, the transistor. This tiny mar- 
vel would enable an IFF system to be built so compactly that it could 
fit into the nose of a fighter plane. Another important project of Feis- 
tel’s was a longtime passion: constructing a strong cryptosystem based 
on block ciphers. (This kind of system encrypted messages by pro- 
cessing them in chunks, or “blocks,” as opposed to stream ciphers, 
which did their scrambling on text as it flowed, or “streamed,” by.) 

Did the NSA embrace Feistel’ s work, or did it see his work as 
a threat, and try to stifle it? According to what Feistel told Diffie, the 
people at The Fort had closely monitored his air force work and used 
the NSA’s power to influence the direction Feistel’s work took. But the 
agency also regarded the project as a threat and eventually managed 
to kill the entire crypto effort at the Cambridge lab. When Feistel left 
for another job in the mid-1960s at Mitre (the same military contrac- 
tor that would later put Whit Diffie on its payroll), he unsuccessfully 
tried to organize a group there that would resume his crypto work. He 
blamed the failure on more NSA pressure. 

So Feistel took the advice of his friend, A. Adrian Albert, and went 
to work for IBM, which seemed more open to such pursuits. (Albert 
was a mathematician, a onetime head of the American Mathemati- 
cal Society, who had himself done extensive cryptography work for 
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the government.) IBM was an amazingly rich company with little 
competition, and its research division was an intellectual playground 
where incredibly bright scientists were encouraged to explore what- 
ever interested them. “If they hired you at Yorktown, you’d do what 
you wanted, as long as you did something,” says Alan Konheim, 
who became Feistel’s boss in 1971. “And Feistel did something — he 
formalized this idea for a cryptosystem.” 

The most remarkable aspect of Feistel’s creation was not its mathe- 
matics or its technology — or even its resistance to codebreakers — but 
the motivation behind it. His superstrong cipher wasn’t intended to 
defend government secrets or diplomatic dispatches, but to protect 
people’s privacy — specifically, to protect databases of personal infor- 
mation from intruders who might steal the contents to create detailed 
dossiers on individuals. “Computers,” wrote Feistel in a 1973 article 
for Scientific American, “now constitute, or will soon constitute, a 
dangerous threat to individual privacy. ... It will soon be feasible to 
compile dossiers in depth on an entire citizenry.” Feistel declared that 
the antidote was cryptography, traditionally the domain “of military 
men and diplomats.” He proposed that computer systems be adapted 
“to guard [their] contents from anyone but authorized individuals by 
enciphering the material in forms highly resistant to cipher-breaking.” 
Considering Feistel’s familiarity with the government’s zeal for keep- 
ing cryptography to itself, this was a significant position to take. So 
important was privacy in the computer era, Feistel believed, that the 
knee-jerk national security arguments would have to be shelved. 

Meanwhile, Feistel was concocting a system that would grant peo- 
ple that privacy. 

The system was called Demon, so dubbed because file names in the 
computer language he used (APL) could not handle a word as long as 
his unimaginative choice for the first version, “Demonstration.” Later, 
in a burst of inspiration, an IBM colleague would change the name, 
carrying over the satanic theme from Demon, to “Lucifer,” thus con- 
taining a cryptographic pun. 

As a block cipher, Lucifer was a virtual machine that sucked in 
blocks of plaintext data and spit out blocks of ciphertext. Feistel cre- 
ated several versions; the best known used a digital key of 128 bits, 
an enormously tough target for a brute-force attack. Impossibly tough. 
Of course, the issue of key length would be of little importance if a 
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codebreaker could quickly crack the system by detecting and exploit- 
ing structural weaknesses that would recover plaintext without having 
to bother with brute -force attacks. If even the most subtle pattern 
could be discernible in ciphertext, a codebreaker would be on his 
way to breaking the system. Lucifer’s strength, like that of any other 
cipher, depended on denying potential foes any such shortcuts. Feis- 
tel’s cipher avoided telltale patterns by subjecting the plaintext charac- 
ters to a tortuous mathematical journey, leading them through a 
complicated whirl of substitutions. Ultimately, after sixteen “rounds” 
of furious swapping with other letters in the alphabet, the actual plain- 
text words and sentences would appear only as a block of seemingly 
random letters: an oblique ciphertext. 

The crucial rules of substitution took place by means of two sub- 
stitution boxes, or “S-boxes.” These, of course, were not physical 
boxes, but sets of byzantine nonlinear equations dictating the ways 
that letters should be shifted. (At least one colleague of Feistel’s, Alan 
Konheim, believes that the idea of S-boxes had been given to Feistel 
by the NSA at a summer workshop, supposedly to get a technology 
well understood by Fort Meade into the mainstream. “Horst is a very 
clever guy, but my guess is he was given guidance,” says Konheim.) 

The S-boxes did not merely initiate a set of predictable substitu- 
tions in the letters; they used information drawn from a series of num- 
bers that comprised a secret key to vary the sequence as the bits 
passed through the boxes. The security of the system ultimately rested 
with this key. Without knowing this key, even a foe who understood 
all the rules of Lucifer would have no advantage in transforming 
ciphertext into plaintext by some reverse-engineering technique. 

Such knowledge of the rules was to be assumed; the nuts and bolts 
of a well-distributed commercial cipher were much more likely to be 
accessible to eavesdroppers than the workings of military codes, which 
could be more tightly controlled. A cryptanalyst trying to crack an 
army code would often have no clue as to the system used to produce 
the ciphertext, a problem that required not only plenty of extra time to 
break the code, but also a huge amount of resources in the black art 
of undercover intelligence. Huge spy networks devoted themselves to 
learning the sorts of codes the enemy used. On the other hand, if 
Chase Manhattan Bank decided to use IBM’s brand-name code to 
encrypt its financial transactions, a potential crook would find it rela- 
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tively simple to discover what cryptosystem the bank used. Since IBM 
might license the cryptosystem to others, the rules of that system 
would probably be circulated fairly widely. So in this new era of non- 
military crypto, all the secrecy would rely on the key. 

IBM applied for, and received, several patents for Lucifer. As an 
innovation of its Watson Research Lab, Lucifer fell into the research 
category. But unlike some blue-sky schemes at Watson that were way 
ahead of their time, an invention that provided an instant answer to a 
pressing problem — data security in the communications age was 
naturally positioned on a fast-track to commercialization. Lucifer’s 
first serious implementation came quickly, in Lloyds of London s Cash- 
point system, a means for distributing hard currency to bank cus- 
tomers. Undoubtedly, this was a harbinger of bigger things to come 
for both IBM and crypto. It was only a matter of time before Horst 
Feistel’s baby would no longer be a research project; it would be a 
major IBM initiative. And that would change everything. 


As Feistel was refining Lucifer, a thirty-eight-year-old engineer named 
Walter Tuchman was working at IBM’s Kingston, New York, division. 
He was a Big Blue lifer, having first gotten his feet wet during a three- 
month period at IBM in 1957 between college and the army. When 
he finished his stint, IBM not only rehired him but sent him off to 
Syracuse to pursue a doctorate in information theory. Most of his 
classmates remained in academia, but Tuchman wanted to use his 
knowledge to actually create sophisticated technology, so he stuck with 
IBM and wound up heading product groups. 

Tuchman’ s most recent IBM task involved an odd sort of computer 
security vulnerability. When computer terminals are in operation, they 
leak out faint electronic impressions that a sophisticated eavesdropper 
can use to reconstruct the information being shown on the screen. In 
effect, those blips represent an unauthorized computer-data wiretap. 
The government wanted a special means to shield its computers from 
such potential leaks, and IBM responded by devising what came to be 
known as Tempest technology. It was considered a big win, and when 
Tuchman’ s team finished its work around 1971, people in the group 
wanted to stay together rather than disperse to other projects, a rou- 
tine known internally as “volkerwanderung.” To do this, they needed 
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a new mission. Tuchman’s boss knew there were some interesting 
things going on in the banking division that might require innovative 
advances in computer security, and suggested Tuchman and his team 
look into it. 

IBM’s banking division was fortuitously located just across the road 
from Tuchman’s offices in Kingston. He quickly found that his boss’s 
instinct was sound in sending him there. Building on the Lloyd’s proj- 
ect, IBM had decided to advance the idea of cash-issuing terminals, 
where bank customers could get money from their accounts without 
having to see a teller. The first cash-issuing machines had been giant 
safes that held not only the money but also all the electronic and com- 
puter equipment necessary to process the transaction. This was both 
costly and unwieldy. The better solution would be to spread the com- 
puter application between a terminal and the bank’s mainframe com- 
puter, which could do all the heavy-duty processing. This solution was 
not only efficient, but hewed to IBM’s recent, painful realization that 
the standard model of computing was headed to the junkyard. “Before 
then, data processing was all done on the mainframe. The security 
model was that you locked your door, you locked your desk, and you 
had a guy with a gun guarding the building,” explains Tuchman. But 
now, even the most tradition-bound minds in Armonk understood that 
in the future, as Tuchman puts it, “data processing was leaving the 
building.” And since a guard with a gun couldn’t be everywhere, the 
security model would have to change. 

Of course, a system that actually doled out cash would represent a 
trial by fire for whatever new type of security IBM employed. The cru- 
cial commands that flashed a green light to spit out twenty- dollar bills 
would be sent over the phone line. Tuchman was quick to understand 
how precarious this could be. Imagine if some techno-crook managed 
to elbow his way on to the phone line and mimic the messages that 
said, “Lay on the twenties!” 

The answer was cryptography. Though Tuchman had a background 
in information theory, he had never specifically done any crypto work. 
But he soon found out about the system that the guys in IBM research 
at Yorktown Heights had cooked up. He ventured down to Watson 
Labs one day and heard Feistel speak about Lucifer. He immediately 
set up a lunch with Feistel and Alan Konheim. The first thing Tuch- 
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man asked Feistel was where he had gotten the ideas for Lucifer. Feis- 
tel, in his distinctive German accent, mentioned the early papers of 
Claude Shannon. “The Shannon paper reveals all,” he said. 

Meanwhile, Tuchman’s colleague Karl Meyer was exploring whether 
Lucifer might be a good fit for an expanded version of the Lloyd’s 
Cashpoint system. Ultimately he and Tuchman concluded that it would 
probably need a number of modifications before it was strong enough 
to rely upon. But it would be a fine beginning. And so, they made an 
arrangement with Alan Konheim and his Information Theory Group. 
Tuchman and Meyer’s team at Kingston would build a revised algo- 
rithm for Lucifer. Then they would send it to Yorktown for evaluation 
and testing. 

The internal name for the cipher was the DSD- 1. 

Before this arrangement was approved, however, a top IBM execu- 
tive demanded to know why they were even bothering with Lucifer 
when he knew of a cheaper, faster algorithm. Tuchman took this sup- 
posedly superior algorithm home and broke it over the course of a 
weekend. (He and Meyer eventually published the break in the trade 
magazine Dutamation.) Tuchman would often cite this triumph as 
proof that his team knew what it was doing — and to ensure that the 
work wouldn’t be disrupted by clueless interference from upstairs. 
“We can’t deal with amateurs in the field,” he remembers telling the 
muckety-mucks high on the corporate food chain. There s no cheap 
way out of doing a crypto algorithm. You’ve gotta work, work, work. 
Qualify, qualify, qualify. It’s going to take a long time.” 

This was a fairly difficult process because, as Whit Diffie could have 
told the Kingston group, there was pathetically little information avail- 
able on how one could construct a modern, military- strength crypto- 
system. “All of it was classified,” sighs Tuchman. “But we understood 
from our mathematics classes what makes a cipher hard to solve.” His 
group read everything they could in the library, and, as Feistel had 
predicted, the most helpful papers were those of Shannon. And they 
talked a lot to Feistel himself. But mainly they reinvented a lot of what 
must have been common knowledge among the algorithm weavers at 
Fort George Meade. “We sat around in our conference rooms work- 
ing on the blackboard, teaching ourselves,” says Tuchman. 

Ideally, Feistel himself would have been recruited to temporarily 
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move to Kingston. Tuchman kept asking Konheim, “What does Horst 
want to do? I’ll give him a nice desk and his own office, and he can 
come up here.” 

And Konheim would say, “Nah, I don’t think it’ll work out.” 

Tuchman eventually came to understand why. “Horst was like a 
European version of James Stewart in the movie Harvey,” he later said. 
“He was sort of living in a little magical world between what happens 
in a commercial business like IBM and his hobbies. I never quite felt 
that Horst understood what the business world — especially the high- 
tech business world — was all about. He was cloistered in research in 
Yorktown, and here we were, these crazy guys from Kingston who were 
actually willing to make products, to see if we could do something that 
made money.” 

Konheim agrees that Feistel was oddly misplaced in the corporate 
world and, as time went on, even in the research division of that uni- 
verse. According to Konheim, as Lucifer became less and less Feistel’s 
invention and more the commercial product of an IBM division, Feis- 
tel would arrive at Yorktown later and later in the day. And even then, 
he wouldn’t seem to be working on the project, but rather spending a 
lot of time on the phone speaking German. Konheim says that Feis- 
tel’s elderly aunt had promised him a considerable inheritance, and a 
lot of that phone time was spent cultivating her almost fanatically. 
(According to Konheim, it was a bitter disappointment years later 
when she died and left him nothing.) 

And Feistel’s 1973 article for Scientific American — one of the most 
explicit scientific descriptions of crypto presented to the public in 
years — could have been interpreted as a rebellion of sorts. Certainly in 
some quarters such frankness about the cryptographic innards of a 
potential IBM product could have more than raised an eyebrow. 
Apparently, the NSA itself objected to the article; years later, Feistel 
would allude to the agency’s unhappiness with it, also remarking that 
if it hadn’t been for the Watergate scandal then turning Washington 
upside down, the NSA might have tried to shut down the entire 
Lucifer project, as it had with his previous ventures. 

The Kingston group was blissfully unaware of such intrigues. To 
them, the Lucifer effort was simply a product ramp-up. They focused 
on their goal of modifying the system, of increasing its complexity and 
difficulty so that its ciphertext would pass the Shannon tests for appar- 
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ent information randomness. The first step was to set up a list of what 
they called “heuristic qualifiers,” a series of mathematical tests that 
would evaluate the cryptosystem’s output — the scrambled message 
so that it bore no apparent relationship to the original message, 
appearing to be a random collection of letters. In Claude Shannon s 
terminology, the apparent information content would be zero. 

Feistel’s version of Lucifer certainly attempted to reach this ideal 
but didn’t go far enough. Its strongest feature was its two S -boxes, 
where the trickiest substitutions took place — the nonlinear transfor- 
mations designed to drive cryptanalysts batty. So the Kingston team 
decided that the new, improved Lucifer — DSD-1 — would have even 
more devious S -boxes. And the number of those would increase from 
Lucifer’s two to a much more formidable eight. 

Complicating that effort were the requirements for compactness 
and speed: “It had to be cheap and it had to work fast,” says Tuch- 
man. To fulfill those needs, the entire algorithm had to fit on a single 
chip. So another part of the team was a VLSI (Very Large Scale Inte- 
gration) group, split between Kingston and IBM’s Burlington, Ver- 
mont, labs, whose job was to put the entire scrambling system on a 
3 -micron, single wiring layer chip. If everything worked out, IBM 
would have the tiniest strong -encryption machine ever known. 

Working under those constraints, the Kingston team constructed 
the complicated DSD-1, still informally referred to as Lucifer. If all 
went well, their new Lucifer would take a 64 -bit block of plaintext, 
submit those bits through a torturous process of permutation, block- 
ing, expansion, blocking, bonding, and substitution involving a digital 
key, and then repeat the process fifteen times more, for a total of six- 
teen rounds. The result would be 64 bits of what appeared to be 
total digital anarchy, a Babel that could only be returned to order by 
someone reversing the encryption process by using the digital key that 
determined how the scrambling had been done. 

Then the Watson Lab team would try to attack it, to see if things 
really had gone well. 


Though Horst Feistel was not involved in the actual reconstruction of 
DSD-1, he did help bring his colleagues in research up to speed for 
the testing process. On January 11, 1973, he gathered five fellow 
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members of the Data Security Group at Yorktown Heights and gave 
them their first exposure to the Lucifer cipher. One of the group, Alan 
Tritter (the same eccentric computer scientist who had told Whit 
Diffie about IFF protocols), raised questions as to the wisdom of the 
entire enterprise. Was IBM putting itself at risk by vying to be a power 
in the new world of commercial cryptography? What if Lucifer could 
be cracked? 

Tritter’s comments drew interest because they seemed to echo some 
remarks made, but not proven, by a professor at Case Western Reserve 
University named Edward Glaser. A blind man who was one of the 
endless consultants IBM routinely hired with its bottomless budget, 
Glaser, according to Konheim, had blustered that if he were given 
twenty examples of ciphertext, along with the original plaintext (this is 
known as a chosen plaintext attack), he could break Lucifer’s system. 
(It turned out to be a specious claim.) 

But the point was well taken, and Tritter repeated it in a memo writ- 
ten later that year. “We were/are in an unusually exposed position,” 
he wrote. Noting that the first use of Lucifer was already implemented 
in a Lloyd’s cash terminal, he ticked off the consequences that could 
come if the system, like so many seemingly “unbreakable” ones before 
it, was somehow compromised. If someone was able to produce a 
valid key for a Lucifer cipher, he wrote, “a clever, resourceful, highly 
organized attempt to remove illicitly but without the use of force the 
entire cash contents of all the terminals in the ‘Cashpoint’ system, say 
over a single bank holiday weekend, would certainly succeed.” 

But such a possible loss was only the beginning of the sorts of per- 
ils IBM was courting by drawing on crypto’s implicit promise of secu- 
rity. With Big Blue’s fat cash reserves, it would be no problem 
replacing even a steep stack of twenties to reimburse Lloyd’s. More 
troublesome would be restoring public confidence. And then would 
come the lawsuits. 

“Were the security of [Lucifer] or of any other crypto product we 
may subsequently field to be breached publicly, the harm it would do 
us in the marketplace would be incalculable,” wrote Tritter. “And this 
is in addition to actual damages and the very real possibility of exem- 
plary damages awarded against us in a lawsuit which would give the 
press, the industry, and the public a field day.” 

On the other hand, how could IBM not pursue cryptography? Its 
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business was the information age, and without a means of protecting 
data as they moved from one computer to another, IBM would not sell 
nearly as many computers. The lack of cryptography was a potential 
roadblock to the computerization of America — and the computeriza- 
tion of the world itself. So on February 5, 1973, a high-level meeting 
was held to review “the status and plans of cryptography within the 
entire IBM corporation.” As Tritter later summarized the meeting, “It 
appeared to be broadly agreed . . . that IBM was apparently in the crypto 
business for keeps, and would have to acquire a corporate expertise in 
the area. In the meanwhile, attacks on Lucifer were to be intensified.” 

An outside expert, Jim Simons of the math department at the 
State University of New York at Stony Brook — who had also practiced 
cryptography at the Institute for Defense Analysis, the NSA satellite 
in Princeton — was recruited to organize a concentrated attack on 
Lucifer. He worked with three researchers from Yorktown Heights for 
about seven weeks in the late spring of 1973. Even before he issued 
his report, IBMers were buzzing with the good news: Simons and his 
team hadn’t cracked it. 

“The Lucifer machine is certainly stronger than I had originally 
thought,” Simons wrote in his report of August 18, 1973. But he 
didn’t exactly bestow a crypto seal of approval on it. “It seems highly 
improbable that Lucifer will be broken by two high school students as 
part of their science fair project,” concluded Simons. “On the other 
hand, there isn’t nearly enough evidence to feel confident that it won’t 
succumb to sophisticated attacks by a professional cryptanalyst.” Si- 
mons worried that if Lucifer, as currently constituted, was put into 
commercial use, it would almost inevitably be used to protect “traf- 
fic of genuine importance” (like money, or trade secrets), providing 
the incentive to encourage an intense, ultimately successful effort to 
break it. So while Lucifer seemed to be a good start for IBM, Simons 
warned, the company should work harder to come up with an im- 
proved product. “There really is no choice,” he concluded. 

Meanwhile, IBM itself kept wondering if Lucifer was up to the 
task. In a confidential memo in May 1973, its chief scientist Lewis 
Branscombe, summarizing the consensus of the firm’s Scientific Advi- 
sory Committee, emphasized the need for the company to “establish a 
single cryptographic architecture, technology and product strategy. 
Lucifer, he wrote, was not the only candidate. But later in the month, 
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another memo deemed the Kingston scheme superior, with one 
caveat: “Unless there is a clear evidence of a significant threshold of 
vulnerability.” 

The tests continued for months, conducted by private-sector 
researchers hired by IBM. “Alan would give them the algorithm and 
say, ‘Break it. Just go break it.’ And Alan kept reporting back that 
nobody could find a shortcut,” says Tuchman. “Finally I reached that 
magical psychological place where I figured this thing doesn’t have a 
shortcut, so there is just no shortcut solution. Forget it, guys, let’s 
concentrate on implementing the product now.” 

Still, compared to the world-class codebreakers behind the Triple 
Fence, most of the math professors hired to bang their heads against 
Lucifer were Little Leaguers. How could IBM be sure the scheme was 
really sound? They certainly didn’t want to find out its vulnerabilities 
by discovering that one day some former KGB cryptanalyst hired by 
the Mafia had cleaned out their virtual cash vault. 


At the beginning of 1974, Tuchman figured his team was about 
halfway through its work. “We had a pretty good idea how much algo- 
rithm we could get on a single chip,” he says. And much of that algo- 
rithm was written. But two things happened that year that would 
profoundly affect the project. The first would throw it open to the pub- 
lic. The second would cast a clandestine shadow over it that would last 
for a generation. 

IBM was not the only institution aware of the vital need for crypto- 
graphic protection in the computer age. That view was also shared at 
the National Bureau of Standards, the government agency in charge 
of establishing commonly accepted industry standards for a wide vari- 
ety of commercial purposes. The bureaucrats and scientists there 
believed that digital protection should be centered in a single system, 
one well -tested means of encrypting information that would be acces- 
sible by all. So NBS decided to solicit proposals for a standard cryp- 
tographic algorithm. (The NSA declined to submit one of its own 
ciphers, since allowing outsiders to examine its work was unthink- 
able.) In the May 15, 1973, Federal Register, the NBS listed a number 
of exacting criteria that such a standard should meet. 

Not surprisingly, the NBS received no submissions at that time that 
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even vaguely met the criteria. By and large the only cryptographers in 
this country who had the wherewithal and expertise to meet this chal- 
lenge were working behind the Triple Fence. And the work done there 
was never published, never revealed. 

But there was one cryptosystem in development that seemed to fit a 
lot of the government’s needs: Lucifer, the DSD- 1 . Lewis Branscombe, 
IBM’s chief scientist — who, not coincidentally, was himself a former 
head of the NBS — in particular felt that this work in progress might 
be an excellent candidate for the encryption standard for the next 
generation. 

Walt Tuchman was against the idea, primarily because of the trade- 
off involved in submitting the revised Lucifer as a federal standard: 
IBM would be required to relinquish its patent rights, essentially 
giving — not selling — the algorithm to the world. “I was this typical 
capitalistic product manager,” he explains. “I’m in this thing to make 
money, not to foster some great social improvement.” He argued his 
point before IBM’s high-level executive Paul Rizzo, who was then Big 
Blue’s number two. Branscombe presented the other point of view: 
make it public. Finally, Rizzo weighed in. Lucifer, he argued, was like 
a safety component that benefited all of society. If the Ford Motor 
Company came up with a seat belt superior to those of its competitors, 
one that saved the lives of moms and dads, would they allow General 
Motors to use it? You better believe they would, because it was the right 
thing to do. Jimmy Stewart couldn’t have topped that homily. You 
could almost hear the violins playing. The speech convinced not only 
the IBM board, but Tuchman himself, who called a staff meeting when 
he returned to Kingston. “Well, guys,” he said, “we’re going to give 
the stuff away.” 

Not completely, of course. The ways they built Lucifer into a chip, 
the ways they would implement it within a full-featured solution, the 
little tricks to get the most of it . . . these would be great selling points 
for IBM-created versions of the DSD-1. Other companies would get 
access just to the algorithm itself. So maybe it wasn’t such a bad idea 
from a business perspective to give the thing away. 

The feeling at IBM was that merely submitting its work to the NBS 
was sufficient to fast-track DSD-1 toward a coronation as the stan- 
dard. Even though the response date for the NBS’s request for crypto 
algorithms in 1973 had long expired, Branscombe wrote to his NBS 
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successor Ruth Davis in July 1974, offering what he described as the 
“Key-Controlled Cryptographic Algorithm,” developed at Kingston, as 
a candidate. With this favored new candidate already in hand, the 
NBS, somewhat superfluously reissued its request for crypto algo- 
rithms in the August 27, 1974, Federal Register. No serious competi- 
tor emerged. And thus the revised Lucifer, a.k.a. DSD- 1, was destined 
to be known by a lofty, though generic, moniker: the Data Encryption 
Standard. The title would eventually become so familiar among the 
digital cognoscenti that it would be pronounced not as an acronym but 
as a single phoneme: Dez. 


By then, the other crucial process in Lucifer’s transformation was well 
under way. It had been fairly early in 1974 when Walt Tuchman 
received what he later would refer to as “that deadly phone call.” It 
was his boss, telling him he had to take a trip down to the National 
Security Agency to cool them down about Lucifer. 

Tuchman didn’t like it. But he understood the importance of play- 
ing ball with Uncle Sam. By creating a cryptographic product for the 
commercial sector, IBM was treading on strange turf. If the company 
didn’t get export clearance to send its crypto chip to its international 
customers, the whole product might as well be scrapped. What good 
was a product for a global company like IBM if you couldn’t sell it to 
the global market? 

So Tuchman went on his first visit to The Fort. He eyeballed the 
Triple Fence, contemplated the armed marine guards, parked in the 
visitors’ lot, and entered the small concrete building where outsiders 
lacking previous clearance fill in a stack of papers and wait to be 
called. Then an elderly woman appeared and guided him through a 
labyrinth of hallways to the second-level manager assigned to the case, 
a guy just below the deputy -director level. He was not in a military 
uniform or even in a suit. And he quickly proposed a quid pro quo: We 
want to control the implementation of this system. You will develop 
it in secret, and we will monitor your progress and suggest changes. 
We don’t want it shipped in software code — just chips. Furthermore, we 
don ’t want it shipped to certain countries at all, and we will allow you 
to ship it to countries on the approved list only if you obtain a license 
to do so. That license will be dependent on customers we approve sign- 
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ing a document vowing that they will not subsequently ship the product 
to anyone else. 

This went on for a while, until Tuchman finally had a chance to 
speak. “What’s the pro quo of the quid pro quo?” he asked. After all, 
the NSA man had focused entirely on restrictions and conditions, and 
had neglected to mention what IBM would receive for its troubles. 

“The pro quo will be something very useful to you,” said the NSA 
man. The agency itself would qualify the algorithm. Their all-star 
cryptanalysts would analyze it and bang away at it. If there was a 
weakness, it could be noted and corrected. And when the mathemati- 
cal dust settled, IBM would have a priceless imprimatur, one that 
would assure the instant confidence of its customers: the National 
Security Agency Good Secret -Keeping Seal. 

This was a powerful offer. It spoke directly to Tuchman’ s greatest 
f ear — that outlaw codebreakers would discover a shortcut solution 
that would allow them to steal secrets and even money from IBM cus- 
tomers, thus exposing the fabled computer giant to international 
embarrassment and a legal Armageddon. Instead of having to rely on 
the smart but inexperienced amateurs at Yorktown and the random 
consultants they hired, IBM would have the ultimate in due diligence: 
the cryptanalysis gold standard. As soon as he returned from Fort 
Meade, he went to see his boss and urged him, “Let’s do it. Let’s work 
with these guys.” It was a solution that felt good to the top IBMers, 
who, after all, were virtually synonymous with the “Establishment.” So, 
just like that, the country’s single most important cryptographic effort 
in the private sector — save for that of Whit Diffie, still in obscurity 
struggling at Stanford with his weird ideas about one-way functions — 
came under the friendly but firm embrace of the National Security 
Agency. 

Unspoken was the question as to whether the NSA — which after all 
was not an arm of the Commerce Department but an intelligence 
agency, the ultimate spook palace — might discover a gaping weakness 
in DES but keep its collective mouth shut, smug in the knowledge that 
it could use that shortcut to quickly break messages encrypted in the 
IBM code. Tuchman understood the risk of this. As the development 
process unfolded over the next few months and years, he watched for 
signs that this might be happening. Ultimately, he was convinced of 
the NSA’s sincerity. “If they fooled me,” he says, “I will go to my grave 
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being fooled. I looked at those guys eyeball to eyeball. I’m a bit of a 
film buff, and I’ve seen good acting and poor acting. And if the NSA 
people fooled me, they missed their profession. They should’ve gone 
to Hollywood and become actors.” 

From that point on, DES’s development process became, for all 
practical purposes, a virtual annex within the Triple Fence. The gov- 
ernment issued a secrecy order on Horst Feistel’s Lucifer patent, 
known as “Variant Key Matrix Cipher System.” On April 1 7, 1 974, an 
IBM patent attorney sent a memo to the crypto teams at Yorktown 
Heights and Kingston explaining that this meant there would be not 
only no publishing on the subject, but no public discussion whatsoever 
without the written consent of the Commissioner of Patents. Even the 
fact that a secrecy order existed was itself considered a secret, and 
talking about that was just as serious a crime as handing out encryp- 
tion algorithms in the departure lounge at Kennedy Airport. A loose 
lip could result in a $10,000 fine, two years in prison, or both. Fortu- 
nately, the memo explained, “IBM has been granted a special permit 
which allows the disclosure of the subject matter in the application to 
the minimum necessary number of persons of known loyalty and dis- 
cretion, employed by or working with IBM, whose duties involve coop- 
eration in the development, manufacture, or use of the subject matter.” 
Without that exemption, of course, IBM could not have continued its 
effort, because of the obvious difficulty of collaborating on a project 
when one risked a jail term for admitting its existence to a co-worker. 

The NSA’s demands for secrecy were particularly rigid concerning 
the agency’s cryptanalysis of DES. Anything — anything — that shed 
light on the way that The Fort’s codebreakers went about their busi- 
ness was regarded as the blackest of black information. The agreement 
drawn between the agency and the corporation clearly outlined the 
limited nature of what IBM’s scientists could glean from the collabo- 
ration. IBM was strictly required to limit those who were involved in 
the evaluation, and to keep up-to-date lists of those people. Any con- 
tact between Big Blue and Big Snoop would come at a series of brief- 
ings with rules as circumscribed as a Kabuki performance: IBM would 
essentially present information, and the NSA people would silently 
evaluate it. No geeky chatter: the NSA people were formally prohib- 
ited “from entering into technical discussions with IBM representatives 
in regard to the information presented.” Afterward, the NSA folks 


the standard | 55 


would hold postmortems to determine whether the IBM scientists 
might have stumbled on information or techniques “of a sensitive 
nature.” In that case NSA would then formally notify the company, 
and IBM would keep the information under wraps. 

The NSA certainly did know its stuff. It was particularly interested 
in a technique discovered by the IBM researchers that was referred to 
at Watson labs as the “T Attack.” Later it would be known as “dif- 
ferential cryptanalysis.” This was a complicated series of mathe- 
matical assaults that required lots of chosen plaintext (meaning that 
the attacker needed to have matched sets of original dispatches and 
encrypted output). Sometime that year, the Watson researchers had 
discovered that, under certain conditions, the IBM cipher could fall 
prey to a T Attack — a successful foray could actually allow a foe to 
divine the bits of the key. To prevent such an assault, the IBM team 
had redesigned the S -boxes. After the redesign, under even the most 
favorable conditions, a T Attack would provide a cracker only a slight, 
virtually insignificant advantage. 

Hearing about this unhinged the NSA crowd. Apparently, the 
T Attack was very well known — and highly classified — behind the 
Triple Fence. So imagine the agency’s dismay when the IBM team not 
only discovered the trick (which, presumably, the NSA had been mer- 
rily employing to crack enemy codes) but had created a set of design 
principles to defend against it. The crypto soldiers at Fort Meade 
could not tolerate the possibility that such information might leak into 
the general literature. And so the NSA put its secrecy clamp down 
harder on IBM. 

“They asked us to stamp all our documents confidential,” says 
Tuchman. “We actually put a number on each one and locked them up 
in safes, because they were considered U.S. government classified. 
They said do it. So I did it.” 

The man who probably did the most work for IBM on the T Attack, 
Don Coppersmith, would not discuss the issue for twenty years. It was 
not until 1 994 , long after other researchers had independently discov- 
ered and described the technique, that he divulged the S-box design 
principles. “After discussions with the NSA,” he explained in a techni- 
cal article for the IBM Research Journal, “it was decided that the dis- 
closure of the design considerations would reveal the technique of 
differential cryptanalysis, a powerful technique that can be used 
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against many ciphers. This in turn would weaken the competitive 
advantage the United States enjoyed over other countries in the field 
of cryptography.” 

Ultimately, IBM got what it wanted for DES — a clean bill of health 
from the NSA. (This was also a crucial factor in the process by which 
the National Bureau of Standards would place its imprimatur on DES 
as a federal standard.) But IBM paid a steep price for adhering to the 
NSA’s demands to keep its S-box design principles secret. The behav- 
ior of the S -boxes in the DES system involved complicated substitu- 
tions and permutations that put Rube Goldberg to shame. The best 
way that outsiders could evaluate whether those bizarre transforma- 
tions were done simply to produce a tougher cipher — or were clan- 
destinely jimmied to put in a back door by which the NSA could 
secretly get a head-start on codebreaking — was to know why the 
designers chose their formulas. So IBM’s refusal to explain the logic 
behind the S-box design encouraged critics like Diffie and Heilman to 
let their suspicions run wild and entertain all sorts of theories about 
secret back doors. 

Telling people that a presumably public algorithm was based on 
secret designs was a recipe for paranoia, and indeed, the resulting dish 
nourished critics for years. But to the NSA, this point was non- 
negotiable. The Fort Meade brain trust might have considered it a 
necessary evil to allow a strong crypto algorithm into the world of 
banks and corporations. But permitting the release of sophisticated 
techniques that might encourage outsiders to bulletproof their own 
codes . . . well, that was quite unacceptable. 

The whole episode turned out to embody in a nutshell a dilemma 
that the NSA had yet to acknowledge, even to itself. For years, people 
at The Fort could be reasonably confident that when they devised a 
breakthrough technique like differential cryptanalysis, such informa- 
tion would be unlikely to tumble into the public domain. Those days 
were over. Consider that the IBM group had come across the T Attack 
on its own, without the help of government. Differential cryptanalysis 
was ultimately a mathematical technique just waiting to be rediscov- 
ered by someone outside the Triple Fence interested in sophisticated 
codes. The NSA couldn’t hold on to such mathematical machinations 
any more than an astronomer discovering a previously unknown nebula 
could cover up the skies to mask its presence to future stargazers. 
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This was to be the reality of the dawning era of public crypto: 
whether the NSA liked it or not, bright minds were inevitably going to 
reinvent the techniques and ideas that had been formerly quarantined 
at Fort Meade — and maybe come up with some ideas never contem- 
plated even by the elite cryptographers behind the Triple Fence. 


S -boxes aside, the most controversial feature of DES would be its 
key length. Horst Feistel’s Lucifer specified a 128-bit key. But clearly 
the National Security Agency did not want the national encryption 
standard — even if it were used only by financial institutions and 
corporations — to lock information within such a mighty safe. By the 
time the algorithm had threaded its way through the Triple Fence and 
was released as a potential NBS standard, the key length had been cut 
in half, and then cut some more, down to the relatively paltry 56 bits. 

It’s hard to exaggerate the difference this makes. Assume that a 
codebreaker trying to crack DES is unable to discover any shortcuts 
to cracking. The only way that an intruder can recover an encrypted 
message, then, is to launch a brute-force attack, experimenting with 
every possible key combination until he finds the one that was used to 
scramble the original. Such a search is the equivalent of a safecracker 
painstakingly twisting the dial to stumble upon the exact series of 
numbers that would align the tumblers. Even with a computer twist- 
ing the virtual dials at high speed, a very large keyspace (a numeri- 
cal range that contains all possible key combinations) can make such 
a search impossible to pull off. A 128-bit key is very, very large. If a 
computer tried one million keys every second — a million different 
combinations of the numbers on the safe dial — it would take aeons to 
try every possible key. 

So what would be the effect of cutting the key size in half? To 
assess this, you have to keep in mind the nature of digital numbers. 
Each bit in a binary key is like a fork in the road that a codebreaker 
must negotiate in order to get to the destination of the correct combi- 
nation of ones and zeros. Every fork presents a random choice 
between the correct turn and the wrong turn; a 128-bit key means that 
you have to guess the correct way to turn 128 times in a row. To make 
the course twice as difficult, you simply have to add one more fork; 
then you’ve created twice as many possible paths to negotiate, but still 
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only one is correct. But to make the course half as difficult, you don’t 
divide the number of forks by two, but simply remove one. 

That’s why removing a single bit from the key size means that the 
encrypted message is only half as safe as it was before. Switching from 
a 128 -bit key to a 127-bit key means you’re cutting by half the work 
factor to break it. If you cut the key size one more bit, to 1 26 bits, then 
you’ve halved that key. And so on. 

According to Tuchman, the Kingston group figured that a 128 -bit 
key was not only overkill but would require too much chip space and 
computation. “We had to fit the whole algorithm on there,” says Tuch- 
man. “The S-boxes, everything. We were using two-micron CMOS 
chips, and the data coming in could only be 8 bytes wide [one byte 
equals eight bits]. So our first key length was 64 bits.” Sixty-four bits 
was a good fit for a chip, a number divisible by the eight-bit bytes. 

This was quite a dramatic reduction. It cut down the time required 
for a full search on the theoretical million-keys-a-second computer 
from billions of years to around 300,000. Still, a 64-bit key length was 
considerable in the mid-1970s, especially since it was agreed that 
computer technology would not be sufficiently advanced to conduct 
searches at such speeds for the next couple of decades. 

But then the Kingston group made a seemingly inexplicable second 
cut, to the mathematically awkward key length of 56 bits. And sud- 
denly, the possibility of a brute-force attack was smack in the picture. 
Why did a lousy eight bits make such a difference? Remember, every 
time the key is reduced by a single bit, it becomes twice as easy to 
crack. So this eight-bit loss made the cipher 256 times easier to crack: 
from 300,000 years to a little over a thousand. Put another way: the 
percentage of key space that formerly would have occupied a foe’s 
computers from January to August could now be scanned in less than 
a day. 

What was IBM’s explanation for this? According to Tuchman, it 
was standard company practice in hardware design to allow a certain 
number of extra bits for “parity checks,” a sort of synchronization 
to make sure that the electronic signals were being properly read. “It 
was an IBM internal spec,” he says, at the same time admitting that it 
was a “foolish” requirement. “We don’t do that anymore, but at the 
time we had a standard — so I had to reduce the key size [to accom- 
modate the extra bits].” 
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Tuchman didn’t think that this further cut really compromised 
DES. (Privately disagreeing with this was Horst Feistel, who still pre- 
ferred a 128 -bit key. But he was no longer actively involved with the 
project and would soon be quietly eased out of IBM itself.) Tuch- 
man and his colleague Karl Meyer believed that a 56-bit key, with its 
70 quadrillion variations, was more than sufficient for the commercial, 
even the financial, secrets that DES would protect. The idea of DES, 
Tuchman would argue, was to provide computer networks the level of 
security that people had in their physical workplaces: locked desk 
drawers, locked doors on computer rooms, and loyal, well-behaved 
employees.” Not the military secrets customarily transported in explod- 
ing briefcases handcuffed to couriers or entrusted to spies who were 
taught to ingest poison pills upon capture. 

Others, however, have always believed that the reduction was 
caused by NSA pressure. This even included skeptics inside IBM, like 
Alan Konheim, who headed the mathematical team on the DES proj- 
ect. “Fifty -six bits is very unnatural,” says Konheim, obviously dis- 
regarding Tuchman’s “parity check” explanation. “The government 
[must have] said, ‘Listen, 64 bits is too much— make it 56.’ ” Why 
would IBM go along with it? “You see, IBM does business all over the 
world. It can’t send a pencil outside the United States without an 
export license. Not only that, when [the NSA invokes] patriotism and 
national security, well, these are not things you can argue about.” 

To outsiders like Martin Heilman and Whit Diffie, of course, the 
key size was a smoking gun that proved the NSA had weakened the 
standard for its own nefarious purposes. In the months after the stan- 
dard was first announced, the Stanford cryptographers wrote a steady 
stream of suggestions and objections to their contact at the National 
Bureau of Standards — and became increasingly frustrated that the 
officials kept insisting that there was no problem. Heilman came to 
believe that the NBS wasn’t speaking for itself but was acting as a 
stooge for Fort Meade. 

To prove his point about the weakness of the key size, Heilman 
challenged an executive he knew at IBM to contradict his and Diffie s 
contention that this DES key could actually fall in a day to a sophisti- 
cated, high-powered machine. At this point, the Stanford researchers 
were postulating that such a machine could be built for $20 million. 
Thus, if one key were broken each day, over a five-year period the 
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price of breaking each key would be around $10,000. Not a bad 
investment if some of the broken messages included precious data like 
oil reserve locations and corporate merger plans — such information 
was worth millions. “But even if we were off by a whole order of mag- 
nitude, and it would cost $100,000, that wouldn’t matter,” says Hell- 
man. “Because in five years computers would be ten times faster, and 
the solution would cost only a tenth as much as it would now.” 
According to Heilman, the IBM executive ordered his own researchers 
to investigate. “He called me back and said that their numbers were in 
the same ballpark as ours,” says Heilman. “That was his exact word, 
the ‘ballpark.’ But he told me that the key size was set by the NBS, 
not IBM.” 

Meanwhile, officials at the NBS were assuring Heilman, in their 
responses to his frequent, increasingly pointed letters, that their own 
studies showed that a machine like the one envisioned by Heilman 
would take all of ninety-one years to search through a DES keyspace. 
Obviously, they were not playing in the same ballpark. 

Heilman believed that all of this was bald evidence that the Data 
Encryption Standard was a swindle from the start. It was all the NSA’s 
master plan. The supposedly benign NBS — acting as the NSA’s pub- 
lic face — allowed IBM to construct its algorithm independently. This 
gave it deniability: Hey, it wasn’t us spooks who cooked it up, Big Blue 
did. But by getting IBM to cut the key size to an infuriatingly puny 
56 bits, the spooks got what they wanted anyway. “They knew they 
could control the key size, which would ultimately control the strength 
of the standard,” complains Heilman. 

And that was the kindest interpretation. If you wanted to be 
skeptical — and like any good cryptographer, Heilman and his col- 
leagues were plenty skeptical — you’d still wonder about the possi- 
bility of an actual trapdoor that would allow the Fort Meade tricksters 
to decode a DES message within seconds. Why else were they keep- 
ing the design principles a secret? 

In any case Heilman rejected the government’s ninety-one-year 
estimate and decided to go over the heads of the NBS functionaries 
with whom he was corresponding. On February 23, 1976, Heilman 
stated his complaints in a letter to Elliot Richardson, who, as secretary 
of commerce, was the ultimate boss of the NBS: 
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I am writing to you because I am very worried that the 
National Security Agency has surreptitiously influenced the 
National Bureau of Standards in a way which seriously lim- 
ited the value of a proposed standard, and which may pose 
a threat to individual privacy. I refer to the proposed Data 
Encryption Standard, intended for protecting confidential 
or private data used by non-military federal agencies. It will 
also undoubtedly become a de facto standard in the com- 
mercial world. 

... I am convinced that NSA in its role of helping NBS 
design and evaluate possible standards has ensured that the 
proposed standard is breakable by NSA. 

The response Heilman received from Ernest Ambler, the acting 
director of the NBS, did little to cool him down. Instead of answering 
Heilman’s charges directly, Ambler gave some general comments 
defending DES, and praised the NSA for its contributions in certify- 
ing the algorithm. He helpfully attached an executive order which out- 
lined “the functions and responsibilities of NSA.” Monkeying with 
private -sector algorithms didn’t make the list. 

That summer, Heilman, Diffie, and five other academics took a 
month to bang on the system and produced a paper called “Results of 
an Initial Attempt to Cryptanalyze the NBS Data Encryption Stan- 
dard.” They were straightforward about their concerns: any algorithm 
approved by the NSA was “mildly suspect a priori” because “the NSA 
does not want a genuinely strong system to frustrate its cryptanalytic 
intelligence operations.” It was not surprising, then, that while falling 
far short of actually breaking a DES key, they concluded that the sys- 
tem could not be trusted. Besides the key strength, they found what 
they considered a “suspicious structure” in the S -boxes — possibly, 
they wrote, “the result of a . . . deliberately set trapdoor.” 

To IBM’s Walt Tuchman, though, the Diffie-Hellman complaints 
were a travesty born of paranoia and ignorance. He was no secret 
agent — he was a product guy — and to the best of his ability, he’d led a 
team to create a good product! It had been a happy day for his team 
when the first two DES devices were completed. They were shoe-box- 
sized metal cases stuffed with chips that went between a mainframe 
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computer and a modem. Such a device on each end of a data transfer 
would allow two computers to communicate in a secret stream, imper- 
vious to eavesdroppers — no matter what Marty Heilman said. One box 
was sent to IBM’s Paris headquarters, the other to Lew Branscombe’s 
office in Armonk. Then they made some history. The Paris office sent 
off an encrypted message to the Armonk machine. The Armonk 
machine, having been previously fed the symmetrical key that per- 
formed both encryption and decryption, deciphered the message back 
to its original form. “It went to a little printer and the message was 
printed in all the IBM newspapers,” recalls Tuchman. “It was some 
innocuous little message, of course, because everybody knew it was 
going to be published in the clear.” 

All that happiness, though, was tempered by the attacks that came 
from Heilman and friends. Tuchman and his colleague Karl Meyer 
had to defend themselves at two public workshops sponsored by the 
NBS. The second, held in September 1976 at the NBS’s Gaithersburg, 
Maryland, headquarters, was the most contentious. I didn’t do any- 
thing wrong! insisted Tuchman. The key size was plenty big enough, 
and building a machine to crack DES would not take Heilman’s low- 
seven-figure pricetag, but a cool $200 million. And if that key size 
wasn’t large enough, people could design devices to run DES through 
its paces twice, with two different keys. Though such a process might 
be difficult to set up, this would effectively double the key size to 1 1 2 
bits — enough keyspace to confound every damned computer on the 
planet for the next gajillion years. (Eventually, a process would emerge 
called “Triple DES,” which would use three keys and rule out even the 
most extravagantly brutish of attacks. But all of this was a moot point 
because the version of DES with the allegedly hobbled 56 bits was the 
one proposed for the standard.) 

Tuchman’s appeal failed to quiet the critics. Why didn’t you publish 
the design heuristics? they wanted to know. Did you put a trapdoor 
in DES? 

Then came the newspapers. “Those professors told the New York 
Times and the Washington Post,” Tuchman complains. The next thing 
he knew, at IBM’s request, Tuchman himself was being interviewed. 
After taking a gander at the newly famous desks of Woodward and 
Bernstein, he told the Post reporter the same thing he told the Times 
reporter: The NSA didn’t modify the algorithm. They didn’t put a trap- 
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door in. Look, you guys, it’s ridiculous; we’re not going to risk the entire 
IBM company by putting a trapdoor in its product. 

Even so, the publicity took its toll. It was bad enough that the 
Times, the Post, and the Wall Street Journal were listening to Heilman 
and the critics. Worse came when Tuchman’s own mother called him 
from her retirement home in Florida, concerned with what friends had 
been telling her after reading the New York papers. She pleaded with 
her son, who had started life so wonderfully as a whip -smart college 
boy from Brooklyn: Please, Walter, leave IBM and stop hanging around 
with those bad people. Tuchman had to explain to her that he wasn t 
going to wind up in a jail cell with Ehrlichman and Haldeman he 
was a good guy! 

After the publicity came hearings by the Senate Intelligence Com- 
mittee. These top-secret sessions were closed, and the final report was 
classified. But a summary was issued for the general public, too. Its 
contents provided ammunition to both sides. 

On one hand, Heilman was proved correct in asserting who the 
power was that dictated the 56-bit key: “The NSA convinced IBM 
that a reduced key size was sufficient,” the report read. The reduction 
wasn’t, as Tuchman still insists, due to the rigor of chip design or the 
need for parity checks: it was the fact that the government wouldn’t 
tolerate anything more. IBM knew that it would need export licenses 
for approved customers. But the NSA, which had been charged to col- 
laborate with the National Bureau of Standards in evaluating DES as 
a government standard, certainly was not going to rubber-stamp an 
algorithm that used, in its view, too long a key. Apparently, the 56-bit 
key length provided the NSA a certain comfort level. Though the work 
factor to break a cipher of that length seemed dauntingly high, it was 
clear that if anyone could contemplate a brute-force attack on DES, it 
was the National Security Agency itself, with what were assumed to be 
literally acres of computers in its top-secret basement. Obviously, 
while an ideal code for users was the strongest one possible, the ideal 
code for the NSA’s purposes would be one that was too powerful for 
criminals and other foes to break, but just weak enough to be broken 
by the billions of subterranean computer cycles at Fort Meade. Did a 
56-bit key fit into that sweet spot? The NSA didn’t say. And never 
would. 

Despite its conclusion that the key size was a result of NSA 
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demands, the committee concluded that there was no wrongdoing by 
either IBM or the government. The Data Encryption Standard had 
been determined fairly. Like it or not, this was something that Marty 
Heilman and his friends would have to accept. 

It took years, but eventually they not only accepted it, but came to 
eat some crow. As Walt Tuchman proudly notes, for more than two 
decades after the algorithm was formally accepted as a standard in 
1977, no one had been successful at finding a significant shortcut to 
cracking a DES -encrypted message. (Of course, if the NSA had done 
so, it would never have admitted it.) 

In 1990, outside cryptanalysts revealed the technique of what was 
called differential cryptanalysis, proving that under certain (admittedly 
rare) conditions, one could crack a DES key using slightly less com- 
putation than a brute-force attack would require. But this was essen- 
tially the “T Attack,” discovered by IBM during the development 
process in time to fortify the algorithm against such assault. And kept 
confidential at the NSA’s request. (A different group of researchers 
introduced another theoretical attack on DES, linear cryptanalysis, in 
1993 — but neither did it truly compromise the cipher.) 

So if the key size was indeed the only point of attack in DES — if 
one had to devote massive computational resources to breaking a sin- 
gle message and then wait for days, weeks, or months for the cipher 
to crumble — then the National Security Agency had certified what 
could be an extraordinarily powerful tool for the spread of strong 
encryption throughout the land, and maybe even the world. It had 
always been the impression of the folks behind the Triple Fence that 
the users of DES would be conservative, trustworthy institutions like 
banks and financial clearinghouses. They misjudged the situation. 
Instead, the development of DES marked the beginning of a new era 
of cheap, effective means of using computer power to keep personal 
information private. It was used not only in banks but in all sorts 
of commercial communications, and was widely available to private 
communications, too. Though the NSA still controlled its export, it 
quickly grew unfettered within U.S. borders. And while U.S. produc- 
ers could not market DES overseas, the algorithm itself would find its 
way overseas, allowing foreign developers to make their own versions. 

The dawning of this era of increased protection might have pleased 
some of the people in the communications security branch of the 
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NS A, which was in charge of securing American data as they moved 
around the globe. But it was already causing conniptions among those 
in the signals intelligence area, the people whose job it is to make sure 
that our guys can quickly intercept and circulate all the rich and fas- 
cinating information buzzing around the globe as electronic blips. If 
those blips were encrypted, and thus not easily read, well, then, that 
would be a problem. Making things even worse were the faster and 
cheaper computer technologies that made it feasible — made it the 
rule, in fact — for DES users to switch keys not every few months as 
the NSA assumed they might, but on a daily basis or even more often 
than that. 

Yes, the Data Encryption Standard was a problem for The Fort. 
Years later even Martin Heilman came to realize that his attacks some- 
times were based more on bravado than substance. They were Darth 
Vader and I was Luke Skywalker,” he says. “I was bearding the NSA, 
and that’s a pretty heady thing for a young guy to be involved in.” 
Now, however, he admits that there were two sides to the issue: that 
DES, despite its key size, was strong enough to provide a measure of 
security to people, and that even though the NSA could presum- 
ably marshal the resources to brute-force a DES key into submission, 
the process was certainly more cumbersome and costly than simply 
reading an unencrypted intercept. DES was the NSA’s first lesson 
that the new age of computer security was going to complicate its 
life considerably — perhaps even to the point of shaking the entire 
institution. 

Alan Konheim thinks that the bottom line on DES came from 
Howard Rosenblum. He was the deputy director for research and 
development at the NSA, where football fields of mainframe comput- 
ers cracked the codes of the country’s friends and enemies and tested 
the codes that potentially protected our own secrets. One day, Rosen- 
blum and Konheim were talking about DES, and the NSA official 
made an off-the-cuff remark that stayed with Konheim for years. “You 
did too good a job,” he said. 

“It was not,” Konheim says delightedly, “a comment of flattery.” 


public key 


l hough Whit Diffie and Marty Heilman regarded the Data Encryp- 
tion Standard as a tainted and possibly fraudulent gambit by IBM and 
the United States government, its introduction was in a strange way 
an important gift to the Stanford researchers. By combing through 
the available technical data on the proposed standard — and speculat- 
ing on what was not made public — Diffie and Heilman had a new 
prism through which to consider their own efforts. Ever since Diffie 
had heard the first reports of the government standard, at a 1974 
chowdown at Louie’s, the Chinese restaurant where Stanford geeks 
congregated, he had wondered about the possibility of an NSA trap- 
door. This led him to a deeper consideration of the concept of trap- 
doors. Could an entire crypto scheme be built around one? 

Designing such a system would present considerable challenges, 
because it would have to resolve a fundamental contradiction. A trap- 
door provides a means for those with proper knowledge to bypass 
security measures and get quick access to encrypted messages, some- 
thing that seems efficient. But the very thought of using a trapdoor in 
a security system seems like a nutty risk, precisely because crafty 
intruders might find a way to exploit it. It’s the same problem posed 
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by a physical trapdoor: if your enemies can’t find it, you can use it to 
hide. But if they do, they’ll know exactly where to look for you. 

This contradiction made the prospect of designing a trapdoor 
scheme incredibly daunting. After all, the strongest cryptosystems 
were finely tuned in every aspect to prevent their contents from leak- 
ing. Tampering with their innards to insert a back door — a leak! — 
could easily produce any number of unintended weaknesses. When 
Diffie explained this to Heilman, both of them concluded that such a 
system would probably be impractical. But Diffie still thought it was 
interesting enough to add to a list he was compiling entitled Problems 
for an Ambitious Theory of Cryptography.” 

Still, in early 1975, for all of Diffie’s Sisyphean labors, even with the 
fruitful collaboration with Heilman, weeks were going by and he didn’t 
seem to be getting anywhere. Was all his work at learning crypto 
against terrific odds going to lead to nothing? Heilman at least had a 
job. But Diffie had nothing. Though his house-sitting stint for John 
McCarthy was pleasant enough, he was now over thirty years old, 
making peanuts at his research job, and it was clear that he could 
never cope with the nit-picking hurdles one had to jump before earn- 
ing a doctorate. Though Diffie was by nature cheerful, these rumina- 
tions were bringing him down. 

Mary Fischer recalls the lowest point. One day she walked into the 
McCarthys’ bedroom and found Diffie with his head in his hands, 
weeping. “I asked him what was wrong,” she says, “and he told me he 
was never going to amount to anything, that I should find someone 
else, that he was — and I remember this exact term — a broken-down 
old researcher.” 

She tried to comfort him. She told him that the world didn’t know 
it yet, but he was a great man. Mary had been studying Egyptology, and 
she explained that the ancient Egyptians made a distinction between 
acquired and innate characteristics. She believed “greatness” must be 
one of those traits that were not acquired — it was just there, and one 
could see it in such a person. “I know what I m looking at, she told 
him, “and I know you’re a great man.” 

Whit Diffie did not feel like a great man. He felt like a failure. 

One day Diffie and Heilman brought in a Berkeley computer scien- 
tist named Peter Blatman to attend one of the informal seminars on 
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crypto they had been convening on campus. Afterward, as Diffie drove 
him to the Stanford AI lab a few miles away, Blatman mentioned that 
a friend of his named Ralph Merkle was working on an interesting 
problem: how can you get a secure conversation over an insecure line 
when the two people in the conversation have never had previous con- 
tact? Obviously, if the two people hadn’t known each other previously 
they would have had no opportunity to exchange secret keys before a 
private conversation. 

This was, in effect, a different formulation of the big question that 
had been bugging Diffie for years: was it possible to use cryptography 
to protect a huge network against eavesdroppers, and wiretappers to 
boot? (More subtly, it reflected Mary’s observation of his dilemma: 
in a world of untrustworthy people, how do you maintain intimate 
contact with the one person you trust?) Because Diffie had enjoyed so 
little success at attacking that problem, he argued to Blatman that his 
friend’s scheme was in fact impossible. Diffie thinks that his outburst 
even convinced Blatman. But even as Diffie passionately argued the 
impossibility of such a feat, he secretly believed otherwise, and his 
mind was racing to figure it out. It was almost as if he needed there to 
be such a solution. 

How could you create a system where people who had never met 
could speak securely? Where all conversations could be conducted 
with high-tech efficiency — but be protected by cryptography? Where 
you could get an electronic message from someone and be sure it 
came from the person whose return address appeared? 

During his quest, Diffie had struggled to gather information in an 
atmosphere where almost all of it was classified. And he had wound up 
with more than anyone could have expected: one-way functions. 
Password protections. Identification Friend or Foe. Trapdoors. Some- 
where in all of that had to be an answer to privacy. Diffie knew that 
reconciling the different protections offered by these disparate systems 
was crucial to his quest. As he thought more, he began to understand 
how you might be able to use some of those techniques to verify some- 
one’s identity. He began mentally constructing a means by which this 
could be done by one-way functions, the mathematical phenomenon 
where something easily calculated could not easily be reversed. Such 
a scheme would be, as he later wrote, “a challenge which could only 
be answered by one person but whose response could be recognized 
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by many as genuine.” In other words, a system of “one-way authenti- 
cation,” which used the creative misunderstanding of his friend Bill 
Mann some years earlier: a trapdoor one-way function where the dif- 
ficult reversal of a calculation could be performed if someone had a 
crucial bit of information on how the original figuring had been done. 

This addressed a key issue that Diffie had discussed in his conver- 
sations with McCarthy about electronic commerce. But that was only 
half the problem. What about privacy? Could the idea of a trapdoor 
one-way function work in a system that solved two problems first, 
the authentication necessary for computer passwords and similar cre- 
dentials, and, second, secret communication? 

That spring, Diffie had settled into a routine at the McCarthy 
house. Every morning he would make breakfast for Mary and Sarah, 
McCarthy’s fourteen-year-old daughter. Then Mary would go off to 
work, Sarah would go off to school, and Diffie would stay home. One 
day in May 1975, he spent the morning hours thinking. After a lunch 
break, he returned to his mental work. For the umpteenth time, he had 
been thinking about the problem of establishing a secure log-in pass- 
word on a computer network. Again, there was that old problem of 
having to trust the administrator with the secret password. How could 
you shut that third party out of the scheme entirely? Sometime in the 
afternoon, things suddenly became clear to Diffie: devise a system 
that could not only provide everything in Diffie’s recently envisioned 
one-way authentication scheme but could also deliver encryption and 
decryption in a novel manner. It would solve the untrustworthy ad- 
ministrator problem, and much, much more. 

He would split the key. 


Diffie’s breakthrough itself involved something that, in the context of 
the history of cryptography, seemed an absolute heresy: a public key. 
Until that point, there was a set of seemingly inviolable rules when it 
came to encryption, a virtual dogma that one ignored at the risk of 
consignment to crypto hell. One of those was that the same key that 
scrambled a message would also be the instrument that descrambled 
it. This is why keys were referred to as symmetrical. That is why keep- 
ing those keys secret was so difficult: the very tools that eavesdroppers 
lusted after, the decryption keys, had to be passed from one person to 
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another, and then existed in two places, dramatically increasing the 
chances of compromise. But Diffie, his brain infused with the informa- 
tion so painstakingly collected and considered over the past half 
decade, now envisioned the possibility for a different approach. Instead 
of using one single secret key, you could use a key pair. The tried-and- 
true symmetrical key would be replaced by a dynamic duo. One would 
be able to do the job of scrambling a plaintext message — performing 
the task in such a way that outsiders couldn’t read it — but a secret 
trapdoor would be built into the message. The other portion of the key 
pair was like a latch that could spring open that trapdoor and let its 
holder read the message. And here was the beauty of the scheme: yes, 
that second key — the one that flipped open the trapdoor — was of 
course something that had to be kept under wraps, safe from the pry- 
ing hands of potential eavesdroppers. But its mate, the key that actu- 
ally performed the encryption, didn’t have to be a secret at all. In fact, 
you wouldn’t want it to be a secret. You’d be happy to see it distrib- 
uted far and wide. 

Now, the idea of ensuring privacy by using keys that were exchanged 
totally in the open was completely nonintuitive, and on the face of it, 
bizarre. But using the mathematics of one-way functions, it could 
work. Diffie knew it, and for an illuminating instant, he knew how to 
do it using one-way functions. 

It was the answer. From that moment, everything was different in 
the world of cryptography. 

First, by presenting an alternative to systems that worked with a 
single, symmetrical key, Diffie had solved a problem that had become 
so embedded in cryptographic systems that it had occurred to almost 
no one that it could be solved: the difficulty of distributing those secret 
keys to future recipients of secret messages. If you were a military 
organization, you might be able to protect the distribution centers that 
handled symmetrical keys (though God knows there were lapses even 
in the most vital operations). But if such centers moved into the pri- 
vate sector, and masses of people needed to use them, there would not 
only be inevitable bureaucratic pile-ups but also a constant threat of 
compromise. Figure it this way: if you needed to crack an encrypted 
message, wouldn’t the very existence of a place that stored all the 
secret keys present an opportunity for some creep to get the keys by 
theft, bribery, or some other form of coercion? 
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But with a public key system, every person could generate a unique 
key pair on his or her own, a pair consisting of a public key and a pri- 
vate key, and no outsider would have access to the secret key parts. 
Then private communication could begin. 

Here’s how it would work: say that Alice wants to communicate with 
Bob. Using Diffie’s concept, she needs only Bob’s public key. She 
could get this by asking him for it, or she might get it from some 
phone -book- type index of public keys. But it has to be Bob s personal 
public key, a very long string of bits that could only have been gener- 
ated by only one person in the world . . . Bob. Then, by way of a one- 
way function, she uses that public key to scramble the message in such 
a way that only the private key — the other half of that unique key 
pair — performs the decrypting calculation. (Thus the secret key is the 
“trapdoor” in the trapdoor one-way function Diffie was thinking 
about.) 

So when Alice sends the scrambled message off, only one person in 
the world has the information necessary to reverse the calculation and 
decipher it: Bob, the holder of the private key. Say that the scrambled 
message gets intercepted by someone desperate to know what Alice 
had to say to Bob. Who cares? Unless the snooper has access to the 
unique partner of Bob’s public key — the instrument Alice used to con- 
vert the message to seeming mush — the snoop would get no more 
than that mush. Without that private key, reversing the mathemati- 
cal encryption process is too damn difficult. Remember, going the 
wrong way in a one-way function is like trying to put together a pul- 
verized dinner plate. 

Bob, of course, has no problem reading the message intended for 
his eyes only. He possesses the secret part of the key pair, and he can 
use that private key to decipher the message in a jiffy. 

In short, Bob is able to read the message because he is the only per- 
son in possession of both sides of the key pair. Those who obtain the 
public key have no advantage in attempting to break the message. 
When it comes to encrypted messages, the only value of having Bob s 
public key is to, in effect, change the message to Bob-speak, the lan- 
guage that only Bob can read (by virtue of having the secret half of the 
key pair) . 

This encryption function was only part of Diffie’s revolutionary 
concept, and not necessarily its most important feature. Public key 
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crypto also provided the first effective means of truly authenticating 
the sender of an electronic message. As Diffie conceived it, the trap- 
door works in two directions. Yes, if a sender scrambles a message 
with someone’s public key, only the intended recipient can read it. But 
if the process is inverted — if someone scrambles some text with his or 
her own private key — the resulting ciphertext can be unscrambled 
only by using the single public key that matches its mate. What’s the 
point of that? Well, if you got such a message from someone claiming 
to be Albert Einstein, and wondered if it was really Albert Einstein, you 
now had a way to prove it — a mathematical litmus test. You’d look up 
Einstein’s public key and apply it to the scrambled ciphertext. If the 
result was plaintext and not gibberish, you’d know for certain that it 
was Einstein’s message — because he holds the world’s only private 
key that could produce a message that his matching public key could 
unscramble. 

In other words, applying one’s secret key to a message is equivalent 
to signing your name: a digital signature. But unlike the sorts of sig- 
natures that are penned on bank checks, divorce papers, and baseballs, 
a digital John Hancock cannot be forged by anyone with the minimal 
skills required to replicate the original signer’s lines and loops. With- 
out a secret key, the would-be identity thief has scant hope of pro- 
ducing a counterfeit signature. 

Nor could a would-be forger hope to monitor a phone line, wait 
until his prey’s digital signature appears, and then snatch it, with the 
intention of reusing the signature to create faked documents or to 
intercept future messages. In practice, a digital signature is not applied 
as an appendage to the document or letter to which it is affixed. 
Instead it is deeply interwoven with the digits that make up the actual 
content of the entire message. So if the document is intercepted, the 
eavesdropper cannot extract from it the tools to stamp the sender’s 
signature on some other document. 

This technique also assures the authenticity of an entire document. 
A foe cannot hope to change a small but crucial portion of a digitally 
signed document (like switching the statement “I am not responsible 
for my spouse’s debts” to “I take full responsibility for my spouse’s 
debts,” all the while maintaining the signature of the unwitting 
sender). If the message was digitally signed with a private key but 
unencrypted, such a rogue could intercept it, use the sender’s well- 
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distributed public key to descramble it, and then make the change in 
the plaintext. But what then? In order to resend the text with the 
proper signature, our forger would require the private key to fix the 
signature on the entire document. That secret key, of course, would be 
unobtainable, remaining in the sole possession of the original signer. 

If someone sending a signed message wanted secrecy in addition to 
a signature, that’s easy, too. If Mark wanted to send an order to his 
banker, Lenore, he’d first sign the request with his private key, then 
encrypt that signed message with Lenore’s public key. Lenore would 
receive a twice - scrambled message: shaken for privacy, stirred for 
authentication. She would first apply her secret key, unlocking a mes- 
sage that no one’s eyes but hers could read. Then she would use 
Mark’s public key, unlocking a message that she now knows only he 
could have sent. 

Digital signatures offer another advantage. Since it is impossible for 
a digitally signed message to be produced by anyone but the person 
who holds the private key that scrambles it, a signer cannot reasonably 
deny his or her role in producing the document. This nonrepudiation 
feature is the electronic equivalent of a notary public seal. 

For the first time, it became possible to conceive of all sorts of offi- 
cial transactions — contracts, receipts, and the like — to be performed 
over computer networks, with no need for one’s physical presence. 

In short, Diffie had not only figured out a way to assure privacy in 
an age of digital communications, but he had enabled an entirely new 
form of commerce, an electronic commerce that had the potential not 
only to match but to exceed the current protocols in commercial trans- 
actions. Even more impressive, his breakthrough had been performed 
completely outside the purview of government agencies in close pos- 
session of even the most trivial details of the most obscure crypto- 
graphic system. 

What a triumph for Whit Diffie! And what a panic he had when, 
scant moments after hatching one of the most important break- 
throughs in cryptographic history, Whit Diffie almost forgot the whole 
thing. He went downstairs to get a Coke and for one horrible mo- 
ment the idea simply fell out of his head. He stepped back around the 
kitchen counter, and, just like that, he got it back. This time, it stuck. 
Still, he didn’t write it down; suddenly, he was hyperaware that the 
computer on which he kept his notes was not secure. There was no 
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way to encrypt his thoughts so that intruders could not steal them. He 
would have to tell Marty Heilman about it face-to-face. 

But first he waited until Mary got home from work. 

When Mary Fischer came home from British Petroleum that day, 
she found her husband waiting for her at the door. This was not usual. 
He had a strange look on his face, and he told her to come to him, that 
he wanted to talk to her. 

“I think,” said Whit Diffie, “I’ve made a great discovery.” 

He explained his idea to her. Though the mathematics of the pro- 
cedure were beyond her, the concept rang true. What’s more, from 
Mary’s close observation of her husband during the years he had 
wrestled with the problem, she found the solution to be not just fitting, 
but poetic. “Whit has always been a dualistic individual,” she says of 
her husband, born under the sign of Gemini, “and I think that the 
notion of splitting the key emerged from that tension.” 

He was not a broken-down old researcher after all. 


That night Diffie walked down the hill to Heilman’s house to tell 
him, for the first time, about public key cryptography. It took a bit 
of explaining, but Heilman quickly understood the significance of 
Diffie’s brainstorm. It remained, however, for them to formalize it, to 
put it into scientific context, and to publish it. Marty Heilman had just 
the place for it; he had been invited to write a paper for the jour- 
nal IEEE Transactions on Information Theory, and he broached this 
idea to his editor, who enthusiastically endorsed his suggestion that 
he and Diffie collaborate on developing this concept. (The IEEE, or 
Institute of Electrical and Electronic Engineers, was a prominent aca- 
demic engineering society which published a variety of journals, some 
the most influential in their disciplines.) They set about working on it 
immediately, squarely facing the fact that while Diffie had successfully 
envisioned a system that could catapult cryptography into a new era, 
his vision was all they had. 

Even to Heilman, the concept, he later recalled, sometimes 
“sounded a little crazy.” One day he decided to run it past his former 
IBM colleague Horst Feistel. It was a weird conversation. Heilman 
had barely begun talking when Feistel told him that they could only 
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talk for twenty minutes or so because he was on his way to a doctor s 
appointment. So Heilman hastily explained how he and Diffie had got- 
ten around the key distribution problem by postulating a trapdoor 
one-way function that allowed you to use a public key. Feistel didn’t 
buy it at all. “You can’t do that!” he admonished Heilman, lecturing to 
him that the great Flemish cryptologist Auguste Kerckhoffs, in his 
landmark 1 88 1 work La cryptographic militaire, had laid out six iron- 
clad commandments for producing secure ciphers, and one of them 
was that all secrecy must reside not in the system but in the keys. How, 
then, concluded the IBM genius behind the Lucifer cipher, could you 
even think of making a key public? (Had Feistel not been in such a 
hurry to make his doctor’s appointment, perhaps he would have 
understood that Diffie and Heilman’s idea quite elegantly conformed 
to Kerckhoffs’s stringent requirements, that the security of public key 
systems lay in the fact that a private key was never accessible to any- 
one but its owner.) 

Feistel was right on one count: Diffie’s concept was a heresy. But 
“heresy is the way changes begin,” says Heilman. For the next few 
weeks the pair worked intensely on creating the mathematical basis for 
the theory of public key cryptography. Heilman by then had figured 
out how his collaboration with his mercurial partner would work: 
“Whit often, playing with ideas, sees something first in an embryonic 
form,” he says, “and then I take it to a more polished result.” 

In this case, the result was a paper called “Multiuser Cryptographic 
Techniques.” In a sense, the work was a placeholder — something that 
would express the public key idea while its authors burned brain cells 
attempting to find a way to actually execute the concept. “At present,” 
they admitted in the paper, “we have neither a proof that public key 
systems exist, nor a demonstration system.” While they had laid out 
the mathematical basis for such a system, they were still groping for the 
precise functions — particularly the trapdoor one-way functions — that 
would make it happen. Still, those who received early drafts of the 
paper found it an astounding twist on the conventional cryptographic 
wisdom, a foray into territory where no one, from Trithemius to Tur- 
ing, had dared venture. 

Or had they? Of course, if someone had come up with this behind 
the Triple Fence or any of its foreign cousins, Diffie and Heilman 
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wouldn’t have known it. Certainly, if anyone had actually published 
anything about it, Diffie would probably have discovered the paper in 
his extensive research of the past few years. 

As it turned out, there had been at least one outsider who had been 
thinking along the same lines as Diffie and Heilman. 


In early February 1976, Marty Heilman received an intriguing letter 
from a graduate student at the University of California at Berkeley: 

Dear Dr. Heilman, 

About three days ago, a copy of your working paper, 
“Multiuser Cryptographic Techniques,” fell into my hands. 

Just prior to this, I had finished revising a paper on the 
same subject, which will shortly be re-submitted to the 
Communications of the ACM [Association of Computing 
Machinery], (Original submission was in August 1975.) I 
enclose a copy of it in the hopes that you’ll find it interest- 
ing. Actually, I’m glad to know there’s someone else who’s 
interested in the problem. The people with whom I try and 
discuss it either fail completely to understand what’s going 
on, or regard any attempt at solution as impossible. Fortu- 
nately the (partial) solution described in the enclosed paper 
demonstrated that it is possible. Now, if only we can do 
better! . . . 

The letter ended with a proposal: “The possibility arises of doing 
joint work, and I would be interested in this possibility. I hope to hear 
from you, and wish you the best of luck in the hunt.” 

It was signed Ralph C. Merkle. The return address, in Berkeley, 
seemed to coincidentally reflect the speed with which things were now 
moving: Haste Street. 

Merkle’s name had actually come up some months before: he was 
the Berkeley student whose work had been mentioned to Diffie by 
mutual friend Peter Blatman, a mention that led Diffie to unkink his 
thought process and make the crucial public key connection. Now it 
appeared that, working totally independently and with no more equip- 
ment than his own brain, Merkle had already made a breakthrough 
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similar to Diffie’s. What’s more, according to the unpublished pa- 
per he enclosed, he had actually turned the trick that Heilman and 
Diffie were still fumbling to perform: he’d created a public-private key 
scheme. 

Like Marty Heilman and Whit Diffie, Merkle was the son of an edu- 
cated man; his father had been the associate director of the Lawrence 
Livermore Laboratory, one of the nation’s top military research facili- 
ties, until he died of colon cancer in 1966. (The illustrious nature 
of Merkle’ s family extends to his great-uncle Fred, a professional 
ballplayer who made the famous omission of not touching second base 
in a game that ultimately decided the 1908 National League pennant 
race.) Young Ralph Merkle was, understandably, a science buff, a 
math whiz, and, by the time he enrolled as an undergraduate at Berke- 
ley, a computer enthusiast. As for cryptography, “I had not displayed 
any noticeable high interest in the subject area,” he says. This changed 
during the fall 1974 semester, when Merkle, in his last term as an 
undergrad, took a class known as CS 244, on computer security. 
Taught by Lance Hoffman, an assistant professor in the department of 
electrical engineering and computer sciences, the course’s key require- 
ment, besides a November midterm, was a term project. “Grading is 
done on a curve,” wrote Hoffman on the syllabus, “but if you do excel- 
lent work in a class full of geniuses, fear not! You’ll still get your A.” 

Hoffman included cryptography in CS 244 but not at a particu- 
larly sophisticated level. Since the varieties of crypto deployed by the 
government were classified, those used in the private sector, even in 
academia, were relatively rudimentary. “We didn’t get into the details,” 
admits Hoffman now. “I’m sure I would teach the Caesar cipher and 
things like that. Don’t forget, all you really had back then were substi- 
tution ciphers and transposition ciphers and combinations.” 

But almost from the moment the class first met on October 1 , con- 
vening twice a week until December 5, when final papers were due, 
Ralph Merkle began thinking more ambitiously. Hearing about the 
way cryptography operated — as a means to protect information that 
might be exposed to eavesdroppers — he hardly paused to concentrate 
on what everybody since Caesar had considered the main problem: 
coming up with stronger, less crackable cryptosystems that would be 
encoded and decoded by a symmetrical key. 

Instead, for reasons that remain unclear but are probably related to 
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Merkle’s unconventional mind, he fixated on what struck him as a 
weird, somewhat challenging aspect of a more basic dilemma. The 
essential cryptographic scenario assumed that the channel of com- 
munication was vulnerable. This was certainly the case in telegraph 
transmission, radio broadcasts, and the subject of Hoffman’s course, 
open computer networks. But what measures could you exploit if you 
wanted to communicate with someone who wasn’t already in posses- 
sion of a prearranged, secure symmetrical key? Was there a way in 
which those two people could spontaneously engage in a conversation 
that would be clear to both of them but opaque to whoever was lis- 
tening? As Diffie and Heilman now understood, this was a problem no 
one else had tackled, undoubtedly because it defied solution. 

Merkle, unpolluted with knowledge about the theory or history of 
crypto, was unaware of the apparent impossibility of his mission. He 
simply tried to solve the problem. The crucial aspect of the situation, 
he figured, lay in the different circumstances of two people who 
wished to privately communicate and a potential interloper. The pair 
were actively involved in a conversation, while the interloper was a 
passive listener. He sensed that his solution lay in exploiting the con- 
spiracy of the private communicators, creating a situation where, says 
Merkle, “the active participants can confuse the heck out of the pas- 
sive listener, even though the listener hears everything.” Merkle began 
thinking about this almost obsessively. And one night, in October 
1974, sitting in bed in his small apartment staring at the ceiling, 
Merkle figured out a way this might be done. 

Puzzles. 

Here’s the scheme that Merkle conceived in the dark. The situation 
is classic: Bob and Alice want to communicate. Bob is a sender and 
Alice is the intended recipient of a secret message. Unfortunately, there 
exists an unwanted eavesdropper, Eve, who has access to anything that 
passes between those two parties. How can Bob send a message 
that Alice can read and Eve can’t? First, he creates puzzles. Each puz- 
zle is an encrypted message scrambled by a relatively small key — 
something solvable with a modicum amount of brute-force effort, a 
challenging yet feasible task for Alice’s computer. “That’s why it’s a 
puzzle,” says Merkle. “It’s hard to solve but it’s solvable, by searching 
through all the combinations of the keyspace.” With the use of his own 
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computer, Bob creates not one puzzle, but thousands, maybe millions, 
of these puzzles. All of these are sent off to Alice. 

Alice, in effect, spreads these puzzles on the floor and chooses 
one at random. (Eve, of course, is capable of intercepting all those 
puzzles — but she would not know which particular one Alice chose.) 
Then Alice attacks her chosen puzzle by having her computer search 
through the keyspace until the solution is revealed. That solution 
includes a string of numbers: it’s the decrypted message of that puz- 
zle. At this point both Alice and Bob have the solution to that particu- 
lar puzzle. Bob, of course, knows the solution because it’s his own 
puzzle — he has the answers to all the puzzles he’s sent off. But Eve 
doesn’t have that solution. Even though she may have intercepted 
Bob’s massive transmission to Alice, she doesn’t have the time or com- 
puter power to find the answer to all the puzzles — and she doesn’t 
know which one Alice selected. 

The next step requires Alice to inform Bob which puzzle was cho- 
sen. That’s easy; among the contents of the encrypted puzzle would 
be an identifier (something that says, for instance, “Hey! I’m Puzzle 
No. 3!”) and a long digital key. So when Alice ships back the message, 
“Puzzle No. 3,” Bob can look up which key is stored in that puzzle. At 
this point, they would both be in possession of a shared secret key they 
could use to conduct further secret communications. Eve may even 
hear that it’s Puzzle No. 3, but she would have no clue which one of 
the millions of puzzles that refers to. Remember, she has to crack all 
the puzzles in order to get the keys. While this might be a feasible task 
with the help of some extremely super computer, it would always 
require much more effort than it took Bob and Alice. Maybe millions 
of times more. But the amount of effort wasn’t the point. 

Here was the point: Ralph Merkle, in a tiny Berkeley apartment, 
totally off the National Security Agency’s radar screen, had figured out 
a way in which two people, with no prior agreement on a secret key, 
could send a secret message that would frustrate the cracking efforts 
of a diligent eavesdropper. 

What goes through the mind of someone who comes up with a 
totally novel concept of cryptography, something that confounds what 
has been the mainstream thought in this field for over a thousand 
years? “My first response was, ‘Gee this looks neat; I ought to be able 
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to get a quarter project out of it.’ ” says Merkle. If that seemed like an 
understatement, it was nevertheless an overly optimistic one. The pro- 
tocol for the research paper, or the “quarter project,” was to submit a 
proposal to Professor Hoffman, and Merkle promptly wrote up a 
description of what he wanted to do. Of necessity, it was skimpy and 
vague. “I couldn’t cite any previous literature saying this is an impor- 
tant problem because I’d never seen any literature saying this was an 
important problem,” explains Merkle. “I suspected [correctly] that 
there was no previous literature. So I basically wrote up a little thing 
about it.” As a backup, he also mentioned that he was also thinking 
about a paper on data compression. 

After reading the proposal, Lance Hoffman told his student he’d be 
better off writing about the data compression problem. 

Merkle tried to persuade his professor otherwise, recasting his pro- 
posal several times in an attempt to get Hoffman to concede that it was 
at least interesting enough to pursue further. But Hoffman wouldn’t 
even toss him that harmless bone. Why not? “Let me be polite and 
simply say he did not appear to understand what I was saying at the 
time,” says Merkle. “So I dropped the course.” 

Years later, Hoffman, now a Georgetown professor who has become 
an expert on issues of cryptographic policy, would ruefully recall the 
incident, attributing the rejection to a combination of Merkle’s abstruse 
writing style and his own failings as a mathematician. “Merkle struck 
me as a young sort of pimply faced kid who might have a good idea, 
but it wasn’t clear to me that I had the time to extract it out of him, or 
that he had the communication skills to deliver it in a way I could at 
least understand,” he says. “I’ve got a math degree from Carnegie 
Tech, but I’m not a mathematician, and so he probably needed some- 
body like Marty Heilman to really sit down with it.” 

Merkle, of course, did not know about Marty Heilman yet. He just 
wanted someone, anyone, to assure him that his instincts were correct, 
that he had stumbled on something significant. But the usual reaction 
of the Berkeleyites he asked was similar to Hoffman’s. “Basically peo- 
ple sort of stared at me and were utterly baffled by what I was talking 
about,” Merkle says, “on the grounds that it was obviously something 
very strange.” Finally, one of Merkle’s professors, Robert Fabry, 
offered some encouragement. This is a good idea, he told Merkle — 
you should try to get it published. So Merkle rewrote the paper more 
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formally, hoping to publish it in the prestigious Communications of the 
ACM. He entitled it “Secure Communications Over Insecure Chan- 
nels,” and in August 1975 formally submitted it to Sue Graham, the 
journal’s editor. 

On October 22, 1975, Graham wrote to Merkle. An “experienced 
cryptography expert” had gone over his paper, she explained, and 
found the article unworthy of publication. In the words of the reader 
(due to the practice of “blind refereeing,” his or her name was with- 
held, but typically such readers were the illuminati in a given field), the 
gaping flaw in the paper was its very premise: assuming that a crypto- 
system could work without the secure delivery of keys. What made 
Merkle’s idea revolutionary also made it unacceptable. “I am sorry to 
have to inform you that the paper is not in the mainstream of present 
cryptography thinking,” said the reader. “Experience shows that it is 
extremely dangerous to transmit key information in the clear.” Sue 
Graham herself took pains to emphasize that she agreed with the ref- 
eree. “I read the report myself and was particularly bothered by the 
fact that there are no references to the literature,” she wrote. “Has 
anyone else ever investigated this approach [?]” 

The answer, as far as published work was concerned, was no. 

Merkle was disappointed, but not defeated. His mien may not have 
been as swashbuckling as that of his father, who was once referred to 
as a “perfect combination of physicist and pitchman” and was known 
for blasting through the Livermore Lab parking lot at high speeds in a 
beat-up Packard convertible. But he did inherit a dogged persever- 
ance. So he kept revising and rerevising his paper, despite a series of 
further rejections. “What was striking,” he said later, “was how the 
publication process was tuned to incremental improvements, but was 
very bad at handling something that is fundamentally different.” He 
just knew, though, that the idea was worth pursuing. “It couldn’t be 
wrong because it was simple,” he says. “It was unclear exactly what it 
would lead to, but it was pretty obvious it should be made available. I 
basically wanted to publish that idea and say, ‘Here is a neat idea — it 
clarifies what this problem is, it clarifies the fact that a solution is fea- 
sible, and it is now a well-defined research problem. Now let’s get 
some other folks in there and see what else we can find.’ ” 

In early 1976, just as Merkle was beginning to lose faith, a col- 
league told him that he knew some people who talked just the way he 
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did, notably a guy named Marty Heilman. Coincidentally, one of Hell- 
man’s courses was being carried on a closed-circuit broadcast line 
between Stanford and Berkeley. Merkle managed to tune into the 
audio portion of one of the sessions and immediately realized that 
Marty Heilman was indeed thinking the same things he was. By that 
time, a draft of Diffie and Heilman’s “Multiuser Techniques” paper 
was being privately distributed, and Merkle managed to get hold of a 
copy. Instead of grinding his teeth at seeing that someone else had 
published first, Merkle became excited at the idea that work on “his” 
concept was actually being done. His immediate instinct was to team 
up with the Stanford researchers. Thus his letter to Heilman of Feb- 
ruary 7, where he proposed a collaboration and included a draft of his 
paper in place of a vitae. 

Merkle’s work was a revelation to Diffie and Heilman, neither of 
whom had really thought that they would see a possible implementa- 
tion of their idea for some time. Merkle’s puzzle concept, though it 
still had problems, was a definite advance. Soon Merkle became part 
of Heilman’s discussions with Diffie on implementing public key cryp- 
tography. Merkle wondered how his puzzle scheme could be jiggered 
to work within the kind of public key cryptosystem that Diffie and 
Heilman had suggested. In a letter dated April 2, 1976, he proposed 
a system in which each user would have a unique arrangement of 
puzzles — and that itself would be the public key. “Thus,” he wrote, “if 
anyone wishes to send a message to A, then all they have to do is select 
one of A’s puzzles at random. They then encrypt their message, and 
send it to A. A looks up the puzzle key using the puzzle ID on the front 
of the message. Anyone else is up shit’s creek, because they can’t fig- 
ure out the puzzle key.” 

Merkle also speculated on how puzzles, integrated into a public key 
system, could also provide a way to get receipts to prove that messages 
had been delivered. With that as a lure, he confided that he was look- 
ing for a summer job. His concluding sentence referred to the main 
practical flaw of his system — that the level of security provided by 
puzzles was merely at the mathematically polynomial level, not the 
more rigorous exponential level. An eavesdropper would have to per- 
form a lot of work in order to crack the puzzles, but that work factor 
was limited by the number of puzzles. Say that in the puzzle crypto- 
system, Alice sent Bob a million puzzles to choose from, but intruder 
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Eve had a computer that was a thousand times faster than Bob’s. (Not 
a wild assumption if you figure that wealthy governments with huge 
computational resources might want to break somebody’s message 
code.) Then, in the time it took Bob to solve a single randomly cho- 
sen puzzle, Eve would be able to solve a thousand puzzles. If it took 
Bob a minute to solve his puzzle, Eve would solve the entire set of one 
million puzzles in about sixteen hours — a totally intolerable situation 
for those needing strong protection. Even if Eve’s computer was no 
more powerful than Bob’s she could crack all the puzzles in less than 
two years. If maintaining secrecy was essential, that wasn’t very desir- 
able, either. (On the other hand, such a spread was sufficient for 
authentication, since breaking a signature key a year after it was used 
wouldn’t give a foe any appreciable advantage.) Any decent encryption 
system had to assure that whatever one-way function was used, a 
mathematically exponential relation would exist between the easy cal- 
culation of the communicator and the more difficult task posed to the 
cracker. Ideally, this should jack up a foe’s work factor to a task 
requiring thousands, millions, or even billions or trillions of years of 
crunching. Merkle was hopeful that he could figure out a way for his 
system to satisfy these conditions. “Perhaps,” he wrote Heilman, “we 
can get exponential by the end of the summer.” 

While Merkle was figuring out how to get exponential, Diffie and 
Heilman focused on finding their own means of implementing a pub- 
lic key cryptosystem. Without some way of actually putting their ideas 
into action — or at least proving that some feasible scheme could 
exist — the whole concept of public key cryptography would be merely 
a mathematical mind-trick. 

One path was suggested by Stanford computer scientist Donald 
Knuth, whose encyclopedic series of books in progress, The Art of 
Computer Programming, would earn him the reputation as the high 
guru of algorithms. Knuth reminded them of an interesting mathe- 
matical phenomenon: while it is child’s play to multiply a pair of prime 
numbers, reversing the process — a task known as factoring — is an 
assignment that could confound the devil himself. Could this phe- 
nomenon be the basis for a devilishly challenging one-way function? 
Though Diffie and Heilman did not choose to pursue this idea, others 
would. 

Another alternative involved computational complexity, and Diffie 
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pored over a book on the subject, particularly a chapter on what was 
known as NP-complete functions. The class of NP-complete prob- 
lems, Diffie later wrote, are “problems thought not to be solvable in 
polynomial time on any deterministic computer.” This meant that they 
were so hard that you could set your Macintosh, or even your Cray 
supercomputer (if you were the NSA), to work on the problem and 
when you checked the results a few trillion years later, you wouldn’t 
even be in the general neighborhood of solving it. But though Diffie 
did have some ideas on using complexity to create a formula for a 
one-way cryptographic function, he never found a way to do it with 
trapdoors. 

It was a suggestion by one of Heilman’s colleagues in Stanford’s 
electrical engineering department, John Gill, that proved most promis- 
ing. Gill pointed to a mathematical process known as “discrete expo- 
nentiation” as a potential function. Since the inverse of this process, 
known as discrete logarithm, was extremely difficult, this had the 
potential to fulfill the basic criterion of a one-way function: easy num- 
bers for the good guys to crunch, and computational hell for the bad 
guys to reverse -calculate. 

Diffie was working at the Stanford AI lab one day in May 1976, 
rewriting the public key cryptography paper that he and Marty were 
planning to publish later that year in the major IEEE journal, when 
Heilman called, excitement in his voice. He’d been working on dis- 
crete exponentiation, and had actually cooked up a workable system. 
When he explained it, Diffie instantly realized that Heilman had tied 
up the tangled threads of a theory that had been swirling around in his 
own mind for weeks. 

The scheme would come to be known as the Diffie-Hellman algo- 
rithm. It presupposes two parties who want to communicate in secret; 
by using one-way functions, these parties can jointly generate a shared 
key, one that an eavesdropper listening in on the session cannot inter- 
cept. Here’s how it works. 

The two parties first choose two numbers. This is done openly, 
since knowing these numbers will not help an eavesdropper. Each 
party then selects his or her own secret number, which will not be 
revealed or sent to anyone else. Then, using a mathematical formula 
that involves exponentiation, each party takes his or her own secret 
number and performs a calculation that involves both that secret num- 
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ber and the two previously chosen public numbers. After this brief 
number crunching, each person has a transformed secret number that 
is then sent to his or her counterpart. There’s no problem in sending 
this number over an open channel because, in effect, it’s an encrypted 
secret number, scrambled by means of a one-way function that was 
easy to perform but extremely hard to reverse. (How hard? Undoing 
the process would, in theory at least, be as difficult as solving what is 
known as the discrete logarithm problem. This requires performing 
about a million million quadrillion more operations than the exponen- 
tiation used to transform the numbers. That’s a one-way function!) 

You can think of this second pair of numbers as sort of an offspring 
of the openly agreed-upon public numbers and the closely held secret 
numbers. Trying to figure out the secret number from the figure 
passed over the clear channel would be like examining the DNA in a 
human cell and trying to figure out which parent was the contributor 
of each individual gene. You couldn’t do it unless you had access to 
DNA from either the sperm or egg cells. 

That leads to the third and final step of the Diffie-Hellman algo- 
rithm. Both parties separately use a related mathematical formula that 
combines those transformed numbers, in conjunction with his or her 
original secret numbers (the source DNA!), to arrive at yet another 
number. The formula works in such a way that both parties, despite 
the fact that their original numbers are different, will get the identical 
final number, which can be called K, as in key. Thus both people will 
now have possession of an identical numerical key — calculated in 
such a way so that only someone who has one of the original secret 
numbers can get K. An eavesdropper, of course, never had a chance 
to get hold of the secret numbers; that foe would be holding only the 
nearly-impossible-to-convert transformed variations. 

The Diffie-Hellman algorithm was both more efficient and secure 
than Merkle’s puzzle system. But it was not even close to a complete 
implementation of the sort of public key cryptosystem that the two 
were envisioning. Diffie-Hellman did not provide for digital signatures 
and didn’t even supply a means to encrypt messages. But it did pro- 
vide a method for two people who have had no prior communication 
to use an open channel and arrive at a secret key. That key could then 
be used with a conventional encryption system like DES to scramble 
messages and unscramble them. (This double-barreled approach — 
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one method to find a key without a prior arrangement and another 
method to actually communicate in secret — would be called a hybrid 
system . ) 

Including their new algorithm in the revision of “Multiuser Tech- 
niques” would make it a much more powerful document. The new 
paper, “New Directions in Cryptography,” was submitted on June 3, 
1976. Later that month, they presented some of their ideas at confer- 
ences in Lenox, Massachusetts, and Ronneby, Sweden — appearances 
that would prove to have unintended patent implications. But thoughts 
about exploiting intellectual property were the furthest thing from the 
minds of these information scientists. In contrast to what struck them 
as a government refusal to provide all the details of the Data Encryp- 
tion Standard, they were creating a fully open alternative to conven- 
tional cryptography itself. 


Meanwhile, Ralph Merkle, who was now well along in the graduate 
computer science program at Berkeley, was finally reconciled to the 
fact that his puzzles scheme wasn’t likely to overcome its work-factor 
flow. He began casting about for another public key approach. “I had 
various schemes involving circuits and complicated fiddling around 
with subsets of various types,” he said. None seemed to work. Merkle 
was further handicapped by his chronic difficulty in expressing com- 
plex ideas clearly; this made it difficult for colleagues to suggest 
modifications to his schemes. “You’re stretching your mind, and 
sometimes you get bizarre, baroque things,” he says in his defense. 
“It’s only after you’ve cooked up the idea that you start simplifying to 
the point where it’s clean and easy and straightforward to present.” 

Heilman took Merkle up on his offer to work together, giving him 
a summer research job. It would be exhilarating to work with the 
two people in the world who best understood the problem. “I was 
basically isolated until I met Whit and Marty,” he says. “I was ready 
to keep banging away until I got some response, but there was no 
one else who was interested in pursuing this.” Merkle arrived at 
Stanford convinced that his most promising idea revolved around a 
scheme built around finding trapdoor one-way functions involving the 
NP-complete problem. The system was built around a mathemati- 
cal problem known as knapsacks. To understand his scheme, picture, 
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naturally, a knapsack. “The idea is to put things into this knapsack, to 
exactly fill it to the brim without going either over or under,” he says. 
Diffie would later describe the problem as that of a shipping clerk 
faced with a collection of packages of various sizes and shapes who 
had to find the absolute best way to stuff the packages in the mailbag. 
The perfect solution is one that fills every cubic inch of space. Actu- 
ally, in Merkle’s scheme, it would be more accurate to say that the 
shipping clerk must know the proper combination of packages that 
will precisely meet the weight limit of a given knapsack. With only a 
few packages to choose from, the optimal solution isn’t that tough to 
find, but if there are plenty of packages, it gets much harder. 

Since Merkle wanted these knapsacks to act as trapdoor one-way 
functions — something that would be easy for the right person to solve 
but nearly impossible for everyone else to crack — he needed to figure 
out a way to tame this difficult problem for the proper keyholder. He 
did this by first using a much easier variation of the knapsack problem 
called a superincreasing knapsack. In these problems, the list of 
weights is ordered in such a way that discovering the solution is a 
breeze. Merkle then figured out a way to transform that easy process 
to the far knottier problem that comes with figuring out the solution 
to a normal knapsack, where the weights aren’t so helpfully arranged. 

It was a complicated but logical process. Someone who wished to 
receive a private message would begin with her own superincreasing 
knapsack, which would essentially be her secret key. Then she’d use 
that key to create a hard-to-solve normal knapsack to act as a public 
key. With the formula Merkle devised (working with Marty Heilman), 
that second knapsack could act as an encrypting function, scrambling 
messages in such a way that they could be unscrambled only by some- 
one who had the ability to solve the problem of that normal knapsack. 
In a practical sense, there would be only one way to do that — by using 
the secret key, which was the related superincreasing (easy-to-solve) 
knapsack. 

The impractical way would be to spend a few billion years trying to 
solve the problem by brute force. 

Was there a simpler way to break the system than using mega- 
computers for a brute-force attack, hoping to get the keys sometime 
before the sun went dead? In other words, could cryptanalysts find a 
shortcut, a flaw? Merkle was supremely confident that no such flaw 
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existed and posted a challenge on his office door. “I’m offering $100 
to the first person to break it,” he wrote to Heilman. “I’ve discreetly 
shown it to a few people here, and after listening to the resulting 
silence, I’ve concluded that the solution, if it exists, is at least not 
embarrassingly simple.” To be sporting about it, he made the task 
immeasurably easier, asking potential crackers to solve the problem 
with the difficulty of the knapsack problem set at a level so low that 
Merkle knew that there was at least a remote chance that someone 
might collect the reward. After that, he figured, he could raise the 
stakes and offer a higher bounty if someone cracked the real thing. 
“The point was that no one gave a damn about this stuff,” he says. “I 
figured that if I offered money for the [possibly unbreakable] knap- 
sack, people would just throw in the towel. So I offered money for the 
[easier problem], because somebody might actually break that, or at 
least think they have a chance at breaking that.” (He would publish a 
paper on knapsacks with Heilman in 1978.) 

In November, Diffie and Heilman’s IEEE paper came out. “New 
Directions in Cryptography” was a revelation, a true blow against the 
empire. (The title itself drew upon the authors’ generational roots by 
evoking the mind-blowing paperbacks of the New Directions publish- 
ing house — ground -shifting beatnik bibles like Waiting for Godot, Sid- 
dhartha, and In the American Grain.) “We stand today,” their article 
began with a fanfare, “on the brink of a revolution in cryptography.” 
The computer age allows for dramatically cheaper implementations 
of scrambling devices, they explained, necessary tools for a world 
that features “effortless and inexpensive contact between people or 
computers on opposite sides of the world.” But because of the key 
distribution problem and the lack of a digital signature component, 
conventional cryptography is unable to handle those challenges: “Its 
use would impose such severe inconveniences on the system users as 
to eliminate many of the benefits of teleprocessing.” Thus, there is the 
need for something new, a means by which private conversations can 
actually be conducted without prior acquaintance, messages can be 
authenticated to guarantee that the actual senders and recipients are 
involved, and a true digital signature can be contemplated. Not only 
were Diffie and Heilman the first to articulate these problems in an 
open forum, but in the succeeding breath they proposed to solve them 
with their original creation, public key cryptosystems. 
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Once, Diffie had harbored dreams of writing up any great crypto- 
graphic discovery he made, not as an academic paper but as an espio- 
nage novel. He had been disappointed in books of that genre that 
included great technical discoveries in their plot lines, because the fic- 
tional breakthroughs weren’t convincing; they had “feet of clay,” he 
complained. “Unfortunately,” he would note, “once I had the required 
technical discovery, I still did not know how to write a novel and had 
to content myself with publication in the professional journals like 
everyone else.” But he could take comfort in the fact that the paper he 
published with Marty Heilman was in many ways as enthralling as any 
page-turner that ever hit the bestseller list. This was science that broke 
the ground that science fiction had not yet contemplated; within 
its mathematical formulas lay a blueprint for twenty-first-century 
communications. 

Diffie and Heilman ended their paper with the observation that 
throughout the history of codes, it had often been amateurs who came 
up with the innovations in cryptography. They cited Thomas Jefferson, 
whose code wheel system was used two centuries after its invention, 
and also mentioned the four amateurs who independently came up 
with the implementations of electronic rotor machines that character- 
ized Enigma-style crypto during World War II. Then they concluded 
with a wish that their efforts would be only the beginning of an effort 
to change the landscape of modern cryptography: “We hope this will 
inspire others to work in this fascinating area in which participation 
has been discouraged in the recent past by a nearly total government 
monopoly.” 

That monopoly had just been smashed open by a long-haired for- 
mer MIT hacker and his passionate Stanford graduate school advisor. 
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1 1 ere’s something interesting. ...” 

A casual handoff of an academic paper from a graduate student to a 
professor. Ron Rivest, a twenty-nine-year-old assistant professor at the 
Massachusetts Institute of Technology, had no reason to believe that 
this paper was any more interesting than the hundreds of papers, arti- 
cles in journals, and technical memos he had already seen in his 
nascent career in academia. One of its authors, Whit Diffie, had 
worked in the same building — Tech Square in Cambridge, where the 
AI lab was one floor above Rivest’s office at the Laboratory for Com- 
puter Science. But neither that name nor that of the coauthor, Martin 
Heilman, was familiar to him. And actually, Rivest knew very little 
about encryption and virtually nothing about how sensitive a topic it 
was. Nor did the paper contain any breakthroughs in mathematical rea- 
soning; the spirit of Fermat was nowhere to be found in its equations. 

Even so, “New Directions in Cryptography” turned out to be more 
than interesting to Rivest: it thrilled him. Ultimately, it changed his life. 

The paper appealed to Rivest’s heart as well as his head. Rivest was 
a theoretician, but one for whom simple abstractions were not enough. 
The ideal for him was actually putting the ethereal mechanics of math 
to work, of making a tangible difference in the world of flesh and dirt. 
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Diffie and Heilman’s breakthrough wedded the spheres of abstraction 
and reality, applying an original mathematical formula to meet a need 
in society. Ron Rivest wanted to spend his time in the neighborhood 
where those two realms met. 

Despite a prodigious talent for math, Rivest did not grow up as a 
classic numbers nerd. His father had been an electrical engineer at the 
General Electric lab at Schenectady, New York, and Rivest had taken 
advantage of the strong science programs in the public high school 
there. For one summer, he’d attended a special math program at Clark- 
son College. But as high school graduation loomed, he mulled over 
careers in psychology or law. He wound up majoring in mathematics at 
Yale but only, he remembers, because “it had the fewest course require- 
ments, and it allowed me to take a lot of other courses.” These included 
plenty of classes in psychology, history, and other sojourns sans slide 
rule. Mathematics, he says, was “just one of many things I was doing.” 

He speaks of this in his characteristic soft, thoughtful cadence, a 
ruminative mumbling that draws a listener closer. Rivest is a balding 
man with pleasantly plump cheeks, neatly bearded. He certainly does 
not appear to be the sort of man who poses a threat to national secu- 
rity. While at Yale, Rivest attended a few marches protesting the Viet- 
nam conflict, but he was far from a flaming activist. Thoughts of 
sedition had never truly crossed his mind. 

At Yale, Rivest discovered computer science. While taking courses 
offered by the engineering department, he realized that programming 
offered an opportunity to merge theory with tangible effect, and he fell 
in love with that form of instant karma. He used his programming 
skills in a part-time job for an economics professor. Working on a 
huge punch-card-munching IBM mainframe, Rivest hacked away at 
arcane subjects like price indices in Latin America or New Zealand — 
and felt just as powerful as if he were moving mountains. If Yale had 
offered a computer science major back then, Rivest would have signed 
up in a minute. In any case, after graduating from Yale in 1969 with 
a math degree, he went on to graduate school at Stanford, in the four- 
year -old computer science department. 

Rivest spent much of his time at Stanford s cutting-edge artificial 
intelligence lab, helping with a fairly quixotic project involving an 
autonomous robot rover. The idea was to get the electronic beast to 
roam the parking lot with no human intervention, a typical overly 
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optimistic task for AI workers in the 1960s. He had terrific fun with 
this, and was fascinated with the idea of making computers “smart.” 
But the problems of making robots behave forced him to concentrate 
on hard-core engineering problems, and he didn’t want to get too far 
from theory. He increasingly became drawn to understanding the 
mathematics of computation itself. His guru was not the AI elder John 
McCarthy but Don Knuth, Stanford’s Jedi Master of algorithms. But 
Rivest’s goal was always applying theory. 

“Artificial intelligence gets to be a bit mushy — it’s hard to tell what 
it is you’re doing, and hard to tell when you’ve done something right,” 
Rivest explains. “But with theory you can make a crisp model and say, 
‘This is what I want to do and here’s the solution to it.’ ” There was 
nothing like using the beauty of mathematics to solve a problem. Not 
only was it possible to pull a cerebral arrow from your quiver and hit 
the bull’s-eye dead center, but you had the equivalent of a celestial 
arbiter — your proof — ringing the buzzer to let you know you’d scored. 
So while Rivest enjoyed writing AI software programs, his doctoral the- 
sis involved database retrieval algorithm and research techniques. Very 
Knuth-ish. And in a yearlong postdoc at the Institut National de 
Recherche en Informatique et en Automatique (INRIA) outside Paris, 
he concentrated on other theoretical problems. 

In the fall of 1974, Rivest accepted his post as an assistant pro- 
fessor on a tenure track at MIT. It was an ideal job, one that would 
enable him to pursue his theoretical interests in a department that also 
allowed him the freedom to work on programming problems as well. 
Rivest had been married since graduating from Yale. At twenty-seven, 
he seemed poised to begin a productive yet quiet life as an academic 
in one of America’s best scientific institutions. From his eighth-floor 
window in the boxlike Tech Square building in Cambridge, he would 
watch the gorgeous campus sunsets, their drama enhanced by pollu- 
tion spewed out by Boston-area industry. And then he would return to 
his algorithms. 

In December 1976, and throughout that entire winter, the algo- 
rithms Rivest grappled with were the ones suggested by Diffie and 
Heilman’s “interesting” paper. It might be more accurate to say that 
he was consumed by the formulas missing from that cryptologic mani- 
festo. While the two Stanford researchers had indeed presented a 
mathematical outline for a new way of passing secret messages — and 
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also digitally “signing” messages so that a communication could be 
definitively associated with its author — when it came to an implemen- 
tation that one could really use, they’d come up dry. The Diffie- 
Hellman key exchange approach allowed two parties to set up a 
common key, but there was no obvious way that it could be extended 
to signatures. (Merkle’s not-yet-published knapsack solution also fell 
short of this.) Diffie and Heilman had speculated on various ways that 
one might eventually come up with a workable system where each 
individual could have his or her own key pair, one public and one kept 
secretly. But without the proper mathematical scaffolding, it was really 
nothing more than a suggestion. It all hinged on finding sufficiently 
powerful one-way functions. Was there indeed a set of these that could 
stand as the reliable scaffolding of a volks- cryptosystem? A set of 
functions so sound that the system based on them would be impervi- 
ous to all sorts of eavesdroppers and codebreakers, even highly moti- 
vated ones equipped with high-speed computers, deep cryptographic 
experience, and a touch of genius themselves? 

Answering those questions became Rivest’s obsession. Though the 
mathematical component of the quest was exciting in itself, the process 
was charged with a thrilling frisson, in that a successful solution could 
potentially kick off an entirely new kind of commerce — business done 
over computer networks. This is important, Rivest thought, and imme- 
diately began evangelizing the challenge to his colleagues. 

Leonard Adleman was the first one to fall victim to Rivest’s exhorta- 
tions. He was a young mathematician who also split his time between 
the computer science lab and the math department. One day that 
December, he recalls, he walked into Rivest’s office just a few doors 
down from his own at Tech Square. “Did you see this paper?” Rivest 
asked. “It shows how you can build this secret code, where if I wanted 
to send you something and we wanted it to be secret, and somebody 
was listening ...” 

As Rivest gushed about the workings of public key, Adleman asked 
himself, Do I care about this? Unlike Rivest, Leonard Adleman wor- 
shipped theory, pure and simple. He often thought about Gauss, 
Euler, Fermat . . . giants of previous centuries who had discovered the 
foundations of mathematical truth, blue-sky brainiacs without regard 
for any practical applications their constructs may have had. These 
geniuses were as gods to Adleman, and he longed for nothing less than 
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to play in the same arenas of pure mind. This stuff about cryptography 
that so excited Rivest sounded to Adleman like some problem about 
how to build a better automobile or something. Not the sort of intel- 
lectual gauntlet that a math god like Carl Friedrich Gauss would have 
jumped at. So Adleman waited patiently until Rivest was finished, then 
remarked, “That’s very interesting, Ron.” And changed the subject. 

Rivest had more luck with another recent addition to MIT’s com- 
puter faculty. Just that month, Adi Shamir, a rail-thin, witty Israeli, 
had arrived at MIT for a visiting professorship in the Laboratory for 
Computer Science. Shamir was having a hectic time. Though he was 
a world-class mathematician, he had yet to learn much about com- 
puter algorithms. So he had been unhappily surprised when, several 
weeks earlier, Rivest had sent him a letter “to discuss the contents 
of the advanced algorithm course you will teach this spring term.” 
Shamir winced: bad enough an algorithm course — but an advanced 
one? To doctoral candidates? Fortunately, Shamir was a lightning- 
quick study. As soon as he arrived at Tech Square he zoomed to the 
library and checked out a shelf full of books on the subject; in the next 
two weeks, he learned everything he needed to know about algo- 
rithms. It was sometime during that remedial reading period that his 
new colleague, Ron Rivest, popped into his office and enlisted him in 
the effort to implement public key cryptography. 

Once he got a look at it, Shamir agreed with Rivest that the Diffie- 
Hellman paper was significant. Not that it was groundbreaking from 
a mathematical point of view. He figured that if you took anyone expe- 
rienced in number theory and tried to explain the Diffie- Heilman 
scheme to him, it would have taken exactly two minutes. The novelty 
was how the Stanford guys took something that had absolutely no rela- 
tion to cryptography in the past and suddenly applied it to a new field. 
Shamir quickly became Rivest’s partner in the search for the perfect 
mix of one-way functions. 

As the winter progressed, Rivest and Shamir became friends; with 
Adleman they formed a jolly threesome. Adleman, at first almost as a 
social concession, joined in the algorithmic hunt. “We were roughly 
the same age, we were all in the same discipline, and we liked each 
other, so we became not only colleagues and collaborators but hung 
out all the time,” Adleman says. Adleman and Shamir were bachelors, 
and Rivest’s more domestic existence served as a sort of anchor to the 
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group, both at work and in his home in Belmont, a warm, open apart- 
ment with access to a nice yard. (Adleman lived in an apartment in 
Arlington and Shamir had a place in Cambridge.) As the weeks pro- 
gressed, the young men, with adjoining offices on the eighth floor of 
Tech Square, began working seriously on their quest. 

Not surprisingly, Rivest was the most focused of the group. Though 
he taught classes during this period, his mental efforts never strayed 
far from crypto. “Whatever Ron decides to do, he does extremely 
well,” says Adleman. “If he decided, say, to start building rocket ships, 
I’d put my money on it that in five years he’d be one of the five best 
rocket builders on earth.” Shamir was similarly dogged. “Adi’s like an 
intellectual lion; you just throw some meat in front of him and he’ll 
chew it up,” says Adleman. 

Adleman himself acted as more of a foil. Of the three, he was the one 
who most looked and acted like a classic, dreamy mathematician — the 
kind of shaggy-haired young guy who would be the helpless prey of a 
wacky heroine in a screwball comedy (by the end of the movie, 
though, we’d learn that he had his own devilish streak) . Perhaps once 
or twice a week, Rivest and Shamir would come up with a scheme, 
and then present it to Adleman, the group’s Mr. Theory, who would 
then set about to identify its flaws and break the scheme, sending the 
other two mathematicians back to the blackboard. To Adleman the 
exercise was like swatting flies, and not much more intriguing. Even 
weeks into the project, he was convinced that the whole project was 
not really worth his effort — it was too grounded in the real world. He 
understood that both his friends had this sense that the potential prac- 
tical applications made the quest desirable. That didn’t matter to Adle- 
man. He loved math because its beauty transcended earthly concerns. 

At first, every scheme they came up with was easily obliterated by an 
Adleman attack. Frustratingly so. “We experimented with a lot of dif- 
ferent approaches, including variations on things that Diffie and Hell- 
man suggested,” says Rivest. “We weren’t happy with the approaches 
we came up with.” At one point, they got so discouraged that they won- 
dered whether an answer existed at all. Maybe Diffie and Heilman’s 
apparent breakthrough was a dud. So for a little while, they switched 
gears and attacked the problem from the opposite end, trying to come 
up with a proof to show that public key cryptography was impossible. 
“We didn’t get very far at that,” says Rivest. 
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In February, the three MIT mathematicians went to the Killington 
ski resort in Vermont. It was definitely a working holiday. Even as the 
three computer scientists tried to teach themselves to ski, their minds 
were never far from the problem. For Shamir, and even more for 
Rivest, it was almost a biological drive; Adleman was literally along for 
the ride. “All the way up in the car, around the fire, riding the ski lifts, 
that’s what they were talking about, so that’s what I was talking 
about,” he says. Of course, when actually schussing down a mountain 
on skis, they couldn’t continue the discussion — so they thought about 
it. Shamir later recalled, only half facetiously, that they settled into a 
routine of each racing down the hill for a half hour devising a new 
public key cryptography scheme. And then the others would break the 
scheme. On only the second day that the Israeli had ever been on skis, 
he felt he’d cracked the problem. “I was going downhill and all of a 
sudden I had the most remarkable new scheme,” he later recalled. “I 
was so excited that I left my skis behind as I went downhill. Then I left 
my pole. And suddenly . . .1 couldn’t remember what the scheme was.” 
To this day he does not know if a brilliant, still-undiscovered crypto- 
system was abandoned at Killington. 

In a way, their difficulties were only to be expected. Why would 
anyone think that three young computer science assistant professors 
could ever come up with a sound cryptosystem, let alone a bulletproof 
scheme that for the first time in history allowed people to communi- 
cate with each other in total secrecy without having to make arrange- 
ments beforehand? A reasonable mind would conclude that this could 
only be done by someone intimately familiar with the field. If you had 
a magical instrument that measured cryptographic knowledge, the 
combined experience of the MIT Three wouldn’t have moved the nee- 
dle even a tickle. 

But such ignorance was perhaps their most valuable asset. “We were 
extremely lucky,” Shamir later said. “If we’d known anything about 
cryptography and known about differential sequences and Lucifer 
and DES we probably would have been misled into expanding those 
ideas and using them for public key cryptography. But we were rank 
amateurs — we knew nothing about cryptography. And as a result we 
were just exploring the ideas we were taught at university.” 

These ideas were a mathematical grab bag that suggested all sorts 
of possibilities — everything from linear algebra to equation sets. And 
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they went through them all. Generally they’d meet in Rivest’s office, 
scrawling equations on the blackboard. Someone would come up with 
an idea and they’d think about it for a while, and then maybe they’d 
see a flaw with it. “Sometimes I would break my own scheme, or Adi 
would break his, or I would break Adi’s,” says Rivest. The more 
promising possibilities would go to Adleman, who, despite his initial 
lack of interest, was developing quite a talent for locating, then tug- 
ging at, the threads that would unravel a given scheme. 

Eventually, they found a system that looked like it might fly. It was 
about the thirty-second candidate. Adleman immediately thought this 
one looked more interesting than the predecessors. He pulled an all- 
nighter before he broke it — “It took real research to break it, as 
opposed to observation,” he says — and discovered that he had mixed 
feelings about his success. He was now hooked, too. (Several years 
later, some researchers published a paper proposing an almost identi- 
cal scheme, only to be embarrassed when other mathematicians redis- 
covered Adleman’s “scheme 32” attack.) 

By then their solutions were beginning to utilize the idea of a 
promising one-way function: factoring. Though Knuth had suggested 
this to Diffie and Heilman, the Stanford researchers hadn’t followed up 
on it; by coincidence, Rivest was settling on his former mentor’s hunch. 

Once again, factoring is a mathematical problem tied to the use 
of prime numbers. A prime number, of course, is one that cannot 
be arrived at by multiplying two numbers together (the lone excep- 
tion being the prime itself and the number one). If you multiply two 
large primes together, then, you get a much larger number that isn’t 
a prime. To factor that number, you have to somehow reverse the 
process, identifying the two original seeds that produced it. This had 
been understood as a hard problem ever since a few years before 
Christ’s birth, when Eratosthenes of Alexandria devised a mathemati- 
cal process called a “sieve” to try to perform this task. At that time, 
people considered factoring to be virtually the same problem as trying 
to figure out whether a number was a prime or not. Twelve hundred 
or so years later, Fibonacci improved the method somewhat, but by no 
means did he offer a way to reasonably break down a large product 
into its two parent primes. When Gauss in 1801 recognized that fac- 
toring and finding primality were two different problems, he identified 
the former conundrum as a vexing but critical challenge: 
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The problem of distinguishing prime numbers from com- 
posite numbers and of resolving the latter into their prime 
factors is known to be one of the most important and use- 
ful in arithmetic. . . . The dignity of the science itself seems 
to require that every possible means be explored for the 
solution of a problem so elegant and celebrated. 

Gauss never did find an efficient solution to the factoring problem, 
and no one else did either, though no proof existed that a solution was 
impossible. Not that it was a very hot topic in the mid-1970s. “Fac- 
toring at the time was not a problem that people cared about very 
much,” Rivest says. “Publications were few and far between.” 

Still, as the MIT Three continued trying different variations of 
schemes to implement the Diffie- Heilman concept, they became in- 
creasingly drawn to using factoring in their system. 

On April 3, 1977, a graduate student named Anni Bruce held a 
Passover seder at her home. Rivest was there, and Shamir, and Adle- 
man. For several hours ideas of mathematical formulas and factoring 
were put aside for a recapitulation of the escape of the Jewish people 
from Egypt. As is customary with seders, people downed a lot of wine. 
It was nearly midnight when Rivest and his wife returned home. While 
Gail Rivest got ready for bed, Ron stretched out on the couch and 
began thinking about the problem that had consumed him and his col- 
leagues for months. He would often do that — lie flat on the sofa with 
his eyes closed, as if he were deep in sleep. Sometimes he’d sit up and 
flip through the pages of a book, not really looking, but reworking the 
numbers. He had a computer terminal at home, but that night he left 
it off. “I was just thinking,” he says. 

That was when it came to him — the cognitive lightning bolt known 
as the Eureka Moment. He had a scheme! It was similar to some of 
their more recent attempts in that it used number theory and factor- 
ing. But this was simpler, more elegant. Warning himself not to get 
overexcited — Shamir and Adleman, after all, had broken many of his 
previous proposals — he jotted down some notes. He did allow himself 
the luxury of saying to his wife that he’d come up with an idea that just 
might work. He doesn’t remember phoning the guys that night. Adle- 
man, though, insists that he received a call sometime after midnight. 

“I’ve got a new idea,” Rivest announced, and explained it. 
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Essentially, Rivest’s idea was to strip the factoring problem down 
to almost naked essentials. A public key is generated by multiplying 
two large (over 100 digits), randomly chosen prime numbers. Easy. 
Then another simple step (if you have a computer): randomly choose 
yet another large number, one that had certain easy-to-calculate speci- 
fied properties. This would be known as the encryption key. The com- 
plete public key consists of both that encryption key and the product 
of those two primes. 

Rivest then provided a simple formula by which someone who 
wanted to scramble a message could use that public key to do so. The 
plaintext would now be ciphertext, profoundly transformed by an 
equation that included that large product. Finally, using an algorithm 
drawn from the work of the great Euclid, Rivest provided for a decryp- 
tion key — one that could only be calculated by using the two original 
prime numbers. Using the decryption key, one could easily revert the 
ciphertext to the plaintext message. 

Thinking of it another way, on its way to ciphertext, the original 
message was intimately intertwined with the product of the two 
primes. What made the information in the plaintext unreadable was a 
mathematical transformation involving that large product — a trans- 
formation that could only be reversed if you knew what those two 
primes were. Then everything would become clear. 

Some of the mathematics of the decryption key — which works as 
the private key in this system — was derived from the work of an- 
other legendary mathematician, Leonhard Euler, who in 1763 devised 
an equation that dealt in the remainders of numbers obtained after 
dividing whole numbers. Almost two hundred years after its Swiss 
inventor first conceived it, an idea that had been deemed valuable only 
in theoretical math had found an application in the real-world me- 
chanics of codemaking. 

The scheme satisfied all of Diffie and Heilman’s requirements. A 
user could confidently broadcast a public key, because its essential 
component was only the product of the two primes. If snoops wanted 
to unscramble an intercepted message that had been encrypted with 
the public key, that information would be useless. In order to cook up 
a decryption key, they’d need the original primes. How could they do 
that? Only by factoring, and even Gauss couldn’t crack that nut. This 
was the beauty of the one-way function: easy to do if you’re going in 
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the right direction, next to impossible if you approach it from the 
wrong end. If the people using the system used primes as big as Rivest 
was specifying, factoring that product would require hunkering down 
with some supercomputers for a long winter — and for some billions 
of winters thereafter. As long as factoring remained difficult, this new 
scheme was secure. 

The scheme wasn’t limited to encryption, either. If you used the 
decryption (private) key to scramble a number, that jumbled result 
could be unscrambled by using the encryption key and the product of 
the primes — the public key. Since only the owner of the closely held 
private key could do this, this process would reliably authenticate the 
source of the message. What Diffie and Heilman had first imagined 
now seemed real: a solid formula for digital signatures, the enabler for 
new kinds of commerce, and a means to establish trust on an elec- 
tronic network. 

The formulas sounded beautiful to Adleman. It was a much less 
messy system than any they’d been dealing with. Others had used rela- 
tively convoluted schemes involving multiplication, division, addition. 
But Rivest had hit the target dead on. “I think that’s it, Ron,” said 
Adleman. “I think that’s going to work.” But Adleman, too, held off 
on popping a champagne cork. Too often, midnight excitement dissi- 
pates when a scheme is examined in cold morning light. 

When morning broke, though, the elegance of Rivest’s solution 
hadn’t dimmed. When the three researchers convened in Tech Square 
as usual, a flushed and breathless Rivest presented a manuscript to his 
colleagues with the whole shebang written out in a near -publishable 
format. It was signed Adleman, Rivest, Shamir. “I looked at this,” said 
Adleman, “and it was the description of what he’d said the night 
before.” He felt it was Rivest’s breakthrough, not his. 

“Take my name off,” he said. “It’s your work.” 

Rivest insisted that it was a joint project, that Shamir’s and Adle- 
man’s contributions were crucial, that the scheme was the final point 
in an evolutionary process. To Rivest, it was as if the three of them had 
been in a boat together, all taking turns rowing and navigating in 
search of a new land. Rivest might have stepped out of the boat first, 
but they all deserved credit for the discovery. Still, Adleman objected 
again. Maybe Shamir had contributed conceptually, but Adleman had 
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mostly stuck pins in various algorithmic trial balloons. No way he 
could take credit. 

Rivest urged Adleman to reconsider overnight. “So I went home 
and thought about it,” said Adleman. He was, after all, a logical man. 
Though he felt in his bones that he didn’t deserve to share credit, he 
knew that as an aspiring academic, any publication credit might help 
when he came up for tenure. And after all, breaking their Scheme 32 
hadn’t been trivial. What if he hadn’t been around to break it, and 
Rivest and Shamir had gone on to publish a faulty paper they cer- 
tainly would have looked like morons if some pimply grad student 
cracked their scheme. Given that he had made a contribution, why 
fight Ron on the matter? After all, Adleman thought, it wasn’t as if this 
was a paper anyone would actually see. “I thought that this would be 
the least important paper my name would ever appear on,” he recalls. 
So Adleman agreed to keep his name on it, if it were listed last. Mean- 
while, Adi Shamir agreed with Adleman that Rivest’s name should go 
first. This order determined the name of the algorithm itself: RSA. 

With input from his collaborators, Rivest quickly turned his origi- 
nal draft into MIT/Laboratory for Computer Sciences Technical 
Memo Number 82: “A Method for Obtaining Digital Signatures and 
Public Key Cryptosystems.” It was dated April 4, 1977. Though Adle- 
man might still have dismissed the outcome as mathematically unim- 
portant, a quick glance at the “key words and phrases offered for 
indexing purposes demonstrated that this was at the least an unusual 
effort for three number crunchers from MIT. In fact, the words offered 
a remarkable blueprint for a network society that would not be widely 
discussed for twenty years: 

. . . digital signatures, public key cryptosystems, privacy, 
authentication, security, factorization, prime number, elec- 
tronic mail, message-passing, electronic funds transfer, 
cryptography. 

With fanfare reminiscent of the Diffie-Hellman work that had first 
triggered the project, the paper’s first words proclaimed, “The era of 
electronic mail may soon be upon us; we must insure that two impor- 
tant properties of the current ‘paper mail’ system are preserved.” 
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These properties were that messages remain private and able to be 
signed. And then the authors promised to unveil a means by which 
these characteristics, long accepted as only the domain of hard copy, 
could be used in the coming, networked era. 

The paper was also notable for a more whimsical touch. Instead of 
what had been the standard form of delineating the recipient and 
sender of a message by alphabetic notation — A for the sender, B for 
the recipient, for instance — Rivest personified them by giving them 
gender and identity. Thus the RSA paper marks the first appearance 
of a fictional “Bob” who wants to send a message to “Alice.” As trivial 
as this sounds, these names actually became a de facto standard in 
future papers outlining cryptologic advances, and the cast of charac- 
ters in such previously depopulated mathematical papers would even- 
tually be widened to include an eavesdropper dubbed Eve and a host 
of supporting actors including Carol, Trent, Wiry, and Dave. The 
appearance of these dramatis personae, however nerdly, would be 
symbolic of the iconoclastic personality of a brand-new community of 
independent cryptographers, working outside of government and its 
secrecy clamps. 

Despite their confident language, Rivest wasn’t sure how significant 
the discovery was. “It was unclear at the time whether [the scheme] 
would be broken within a few months,” he says. “It was also unclear 
whether there were better approaches.” Still, he initiated a journal 
publication process, with an eye to the Communications of the ACM, 
where he was a contributing editor. He sent copies to colleagues for 
peer review. One to Don Knuth. And, in his first contact with the 
authors of “New Directions in Cryptography,” on whose system his 
own was built (a connection made explicit in his paper), he sent one 
to Whitfield Diffie and Martin Heilman. (Rivest later explained that 
among researchers it is not particularly unusual for a group of aca- 
demics to build upon previous work without notifying the original 
team until a result is obtained.) 

There were still some things that needed to be nailed down before 
the paper was submitted to a journal. One of them was definitively 
pinpointing the current state of factoring — the system, after all, relied 
on the difficulty of extracting two long primes from their product. 
Through Marty Heilman, they got in touch with Rich Schroeppel, the 
former MIT hacker whom Diffie had visited on his transcontinental 
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crypto adventure. (Ironically, Schroeppel had been pessimistic about 
the prospect of cryptosystems based on one-way functions.) Schroep- 
pel was among the few people on earth still doing very serious think- 
ing on factoring. 

Schroeppel now was ready to discard his skepticism of one-way 
functions and was eager to contribute. After reading what Don Knuth 
had offered as the best available formula for factoring, Schroeppel had 
done a timing analysis of it and had a deep realization of how truly 
knotty the problem was: no matter how you tackled it, it seemed that 
the work required to factor something was many, many times larger 
than the effort expended on the initial multiplication. “I think it was 
the first time anybody had looked at how hard it was to factor,” he 
says. Schroeppel was impressed with the RSA paper and sent some 
suggestions, including an analysis of how long it would take the fastest 
factoring scheme (an unpublished one by Schroeppel himself) to 
crack keys. Conclusion: plenty long enough for a good cryptosystem. 

Rivest also sent a paper to Martin Gardner, who wrote the “Mathe- 
matical Recreations” column for Scientific American. “He was always 
writing these columns about big numbers, and looking for primes,” 
says Rivest. Gardner had a loyal following among both amateur figure 
twiddlers and serious mathematicians: it was not unusual for one of 
his monthly dispatches to catapult a hitherto obscure problem into an 
international obsession. 

On April 10, 1977, less than a week after Rivest’s breakthrough 
had occurred, Gardner wrote back. “Your digital signature scheme is 
indeed fascinating,” he wrote. “The whole idea behind it is new to me, 
and I think a very interesting column could be written around it.” He 
invited Rivest to explain the scheme to him personally. 

An excited Rivest headed out to Gardner’s home in Hudson, New 
York. Gardner was an old-school gentleman and something of a 
scamp. The columnist performed a few card tricks; years later Rivest 
was still wondering how the hell he did them. The magic show com- 
pleted, Gardner asked for examples of how the RSA system worked, 
and it was Rivest’s turn to produce magic. Eventually they decided to 
offer a challenge to readers of the column. Rivest would generate a 
public key of 129 digits and use it to encode a secret message. If the 
system worked as promised, no one in the world would be able to read 
that message, with two exceptions. One would be someone who had 
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both a powerful computer set to break the message with brute force 
and a very large amount of time on his hands: if the computer was, for 
instance, a million -dollar PDP-10, the effort would take somewhere in 
the neighborhood of a quadrillion years. (This estimate, provided by 
Rivest on an apparent misinterpretation of Schroppel’s factoring time 
analysis, was an error on his part; what he meant to say was that it 
would take merely hundreds of millions of years to crack the code by 
calculation. Still not an undertaking for mortals.) The other exception, 
of course, was the person holding the private key match to that par- 
ticular 129-digit public key. That person could decode the message in 
a few seconds. 

And if the RSA system didn’t work as promised? Then some bright, 
motivated reader might figure it out. In that case, Rivest, Shamir, and 
Adleman would present that person a $100 prize. And the RSA system 
would be given a quick funeral, as it would be useless for protecting 
people’s privacy and authenticating their identities. 

Gardner’s column appeared in the August 1977 edition of Scientific 
American. It was spiked throughout with enthusiasm for the achieve- 
ment of the three young MIT scientists. Gardner, in fact, predicted that 
the breakthroughs by Diffie- Heilman, and then RSA, meant an end to 
an entire era of codebreaking: “[They are] so revolutionary,” he wrote, 
“that all previous ciphers, together with the techniques for cracking 
them, may soon fade into oblivion.” From now on, he wrote, armed with 
RSA and similar systems, we would enter a golden age of secure elec- 
tronic communications, where all messages could be secure, unreadable 
even by the masters of cryptanalysis. In fact, Gardner used the moment 
to declare void Edgar Allan Poe’s contention that “human ingenuity 
cannot concoct a cipher which human ingenuity cannot resolve.” In 
Gardner’s view, the ingenuity of the Stanford and MIT “outsiders” had 
concocted that very cipher. The columnist, while excited by the discov- 
ery, confessed to a wistfulness at the new reality, where the spy vs. spy 
aspects of encryption would be relegated to antiquity. “All over the 
world there are clever men and women, some of them geniuses, who 
have devoted their lives to the mastery of modern cryptanalysis. ...” he 
wrote. “Now these people are standing on trapdoors that are about to 
spring open and possibly drop them completely from sight.” 

Gardner completed the column by printing the message encoded by 
Rivest with the RSA system using a 129-digit key, inviting anyone to 
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try his or her luck, skill, and cryptanalytic prowess at breaking the 
code. Readers were invited to begin the process, or simply learn more 
about the system, by sending a self-addressed, stamped envelope to 
MIT and requesting a copy of the technical paper. 

Though the three professors were all on summer break, the secre- 
taries at Tech Square could attest to the instant impact of Gardner’s 
column — thousands of letters began pouring in. When Shamir finally 
returned to Cambridge after spending the summer backpacking in 
Alaska, he encountered a near avalanche as the stacks of envelopes 
that had been stored in his office engulfed him on his way to his desk. 

But that was only the first indication of the excitement that Gard- 
ner’s column inspired. This was the first public notice of the move- 
ment that began with Whit Diffie’s iconoclastic quest, and it seemed 
to have unleashed all the pent-up frustrations of anyone who once 
had been temporarily obsessed with the dark art of codes, only to 
have sublimated that attention elsewhere, since all the good stuff in 
the crypto world existed only behind the Triple Fence or, perhaps, its 
international counterparts. Reading Gardner’s account of what seemed 
like a turning point in this history of cryptography — not only in terms 
of what the tools were but who had forged them — was like the sun 
breaking through after decades of gray gloom. 

Len Adleman first saw the evidence of this that August, when he 
was browsing in a bookstore in Berkeley. Waiting to pay for his pur- 
chase, he overheard a conversation between a clerk and a customer 
buying a new copy of Scientific American. “Did you see the thing in 
here about this new code system?” asked the customer. 

“Yeah, I read about it,” said the clerk. “Isn’t it wild?” 

Adleman could not contain himself. “That’s the stuff we did,” he 
exclaimed, identifying himself as one of the three MIT professors in 
Gardner’s column. When the magazine buyer understood that Adle- 
man was on the level, he held out the issue. “Would you sign this for 
me?” he asked. 

As an instrument of crypto’s liberation, Len Adleman was sud- 
denly being asked for autographs a la Tom Cruise. Even Fermat hadn’t 
gotten that kind of treatment! 

And what about the people who were supposedly standing on 
those trapdoors Gardner mentioned — namely, the codemakers, code- 
breakers, analysts, and outright spooks who disappeared each day into 
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the Cone of Silence at Fort George Meade? How did they view the 
work of Rivest, Shamir, and Adleman and the advances of Diffie and 
Heilman? 

As one might expect: with sheer horror. 


The midseventies had already been traumatic for the NSA. For twenty- 
five years, its relationship with Congress had proceeded with nary a 
legislative speed bump. The agency addressed only the few represen- 
tatives who sat on classified intelligence oversight committees. After 
briefing sessions held in shielded rooms swept for bugs, the legislators 
routinely rubber-stamped all of The Fort’s requests. But in 1975 and 
1976, the NSA found itself the focus of a fearlessly insolent investiga- 
tion of its eavesdropping practices by Senator Frank Church’s Intelli- 
gence Committee. The committee was shocked to discover the extent 
of the NSA’s snooping efforts, particularly a strategy called Project 
Shamrock that included surveillance of American citizens. Church 
was incensed at the agency’s blithe insistence that such eavesdropping, 
performed without benefit of warrants, was still within its authority. 
The senator’s final report concluded with an almost biblical admoni- 
tion on what could happen if the agency continued on its course with- 
out restraint, warning that its monitoring capabilities “could at any 
time be turned around on the American people and no American 
would have any privacy left, such [is] the capability to monitor every- 
thing. . . . There would be no place to hide.” While the NSA avoided 
any serious repercussions, this “indecent exposure” (as described by 
an NSA official in an internal memo) was sobering. 

The wiser heads of the NSA obviously knew that if there was ever a 
time to lie low, this was it. Still, Diffie -Heilman’s work, and its alarm- 
ingly practical follow-ups, represented an encroachment into what the 
NSA had regarded as its birthright: the domination of cryptography. 
This was something that the agency could not ignore. After all, if peo- 
ple had access to the means to encrypt their private communications, 
there could be a place a hide — and a universal means to privacy was 
exactly what an agency charged with eavesdropping is hell-bent to 
prevent. Though the realization of a such a threat to its mission was 
slow to filter through the complex bureaucracy at Fort Meade, clearly 
some officials recognized the problem. As early as 1975 the NSA 
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began to work behind the scenes (where else?) to restrict the nascent 
academic field. 

Its first efforts were directed at the National Science Foundation. 
The NSF was an independent government agency designed to foster 
research into all sorts of scientific inquiries; it was extremely common 
for mathematicians and computer scientists to have work funded, at 
least in part, by NSF grants. (These would come to include Diffie, 
Heilman, and the RSA team.) In June 1975, the NSF official in charge 
of monitoring such grants, Fred Weingarten, was warned that the 
NSA was the only government agency with the authority to fund 
research on cryptology. Weingarten was alarmed that he may have 
been breaking the law. So he held off awarding any new grants while 
he sought to clarify the matter. 

What he found was interesting. Neither the NSF lawyers nor 
the National Security Agency itself, when pressed for documenta- 
tion, could come up with any statutory justification for the agency’s 
claim. So Weingarten felt free to ignore the warnings and resume his 
grants. 

Marty Heilman, for one, always appreciated Weingarten’s back- 
bone. “When the NSA told him that he couldn’t fund cryptography, 
that the NSA had a monopoly on that funding, Fred not only was 
courageous but he handled it very well,” says Heilman. “He didn’t say, 
‘You’re full of shit,’ but asked them to put it in writing so he could take 
it to his counsel for an opinion.” 

But then came the Diffie -Heilman paper, followed by the RSA 
discovery. Together, of course, these created the underpinnings for the 
NSA’s worst fear: a communications systems where everyone used a 
secure code. So it seemed hardly a coincidence that on April 20, 
1977 — barely three weeks after Rivest dashed off his MIT techni- 
cal memo — the NSA’s assistant deputy director for communications 
security, Cecil C. Corry, ventured from Fort Meade to the capital to 
meet with Weingarten. He was accompanied by a colleague. Once 
again the officials attempted to ax any NSF grants that might involve 
crypto, invoking what they portrayed as a presidential directive giving 
them “control” over such research. Weingarten reminded them of his 
previous experience, which established that no such directive was ever 
issued. While he did agree to forward relevant proposals to the NSA 
so that the security agency could offer a technical evaluation to use 
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in considering the grant, he insisted that the process be conducted 
openly, with no decisions made under the shroud of silence. 

The NSA people weren’t happy with that compromise, offhandedly 
remarking to Weingarten that “they would have to get a law passed” — 
presumably to ban such academic research unless the Diffies, Heilmans, 
and Rivests of the world were willing to deep-six their work under the 
classified seal. Later, Corry wrote to John R. Pasta, Weingarten’s boss, 
thanking him for a concession that the NSF never made — agreeing to 
consider “security implications” when evaluating grant proposals. Pasta 
made it clear that the NSF made no such promise. 

In a memo he wrote at the time, Fred Weingarten summarized his 
views of the agency’s motives: 

NSA is in a bureaucratic bind. In the past the only commu- 
nications with heavy security demands were military and 
diplomatic. Now, with the marriage of computer applica- 
tions with telecommunications . . . the need for highly secure 
digital processing has hit the civilian sector. NSA is worried, 
of course, that public domain security research will com- 
promise some of their work. However, even further, they 
seem to want to maintain their control and corner a 
bureaucratic expertise in this field. . . . 

It seems clear that turning such a huge domestic respon- 
sibility, potentially involving such organizations as banking, 
the U.S. mail, and cable televisions, to an organization such 
as NSA should be done only after the most serious debate 
at higher levels of government than represented by peanuts 
like me. 

Clearly, NSA wasn’t going to slink away. 

As the skies darkened inside the Beltway, the MIT professors, 
crypto virgins all, were unaware of anything but sunshine. They cer- 
tainly didn’t know of anything in the nation’s export laws and agree- 
ments that could conceivably affect the dissemination of their work. 
They had no idea that while the first half of 1977 was marked by their 
major contribution to the field of cryptography, the latter portion of 
that year would be marked by the government’s efforts to stop people 
from knowing about such work. 
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That summer a letter dated July 7, 1977, arrived at the New York 
offices of the IEEE, addressed to E. K. Gannett, the staff director of the 
organization’s publications board. “I have noticed in the past months,” 
the correspondent began, “that various IEEE groups have been pub- 
lishing and exporting technical articles on encryption and cryptology — 
a technical field which is covered by federal regulations. ...” There 
followed detailed citations, down to the proper subsections of indi- 
vidual regulations that may have already been violated, not only by the 
publishing of certain articles in IEEE publications, but at various sym- 
posia sponsored by the group, including the event in Ronneby, Swe- 
den, where Heilman had first presented public key crypto. As further 
documentation, the letter writer included photocopies of “a few pages 
of the relevant law,” namely the International Traffic in Arms Regula- 
tion (ITAR) code. These regulations were drawn to “control the 
import and export of defense articles and defense services.” While 
people like Ron Rivest had always assumed that defense articles were 
things like nuclear detonating devices, Stinger missiles, and aircraft 
carriers, it turned out that these “instruments of war” were joined on 
the United States munitions list by “privacy devices [and] crypto- 
graphic devices.” None of these was allowed to be shipped overseas 
without specific permission from the State Department. Furthermore, 
these restrictions did not cover merely the actual devices, but any 
“technical data” covering these “weapons.” This was defined as 
“any unclassified information that can be used ... in the design, pro- 
duction ... or operation” of a restricted weapon. If you disseminated 
that information to a foreign national, or even allowed such a person 
to get his or her hands on your materiel (so to speak), you were in vio- 
lation of the law — an enemy of the state. 

The letter writer noted that in October the IEEE planned an Inter- 
national Symposium on Information Theory at Cornell that would 
include papers on encryption. Under current law, he warned, such 
presentations or publications were restricted, and if preprints were 
sent abroad, “a difficulty could arise, because, according to ITAR, an 
export license is required.” His implication seemed to be that such a 
violation of the law could lead to fines, arrests, and even jail terms. At 
the Ronneby conference, the letter darkly noted, “this formality was 
skipped.” 

The message was clear: You academic cryptographers may believe 


110 | crypto 


that your ideas were conceived under the protection of academic free- 
dom and that your mathematical formulas belonged to no one but per- 
haps the God who first crunched them . . . but that is not the case when 
it comes to ideas and algorithms that can be used to encrypt informa- 
tion. Those ideas should be kept under close watch — and government 
control. Clearly, the letter implied, by allowing the Cornell conference 
to proceed, the IEEE would be illegally providing the equivalent of 
heavy-duty military equipment to our nation’s foes. “As an IEEE mem- 
ber,” the writer concluded, “I suggest that IEEE might wish to review 
this situation, for these modern weapons technologies, uncontrollably 
disseminated, could have more than academic effect.” 

The letter was signed by a }. A. Meyer, who identified himself only 
by his home address in Bethesda, Maryland, and his IEEE member- 
ship number. 

Who was this concerned member? It turns out that in January 197 1 
this same Joseph A. Meyer had written an article for an IEEE publica- 
tion called Transactions on Aerospace and Electronics Systems, a paper 
so unusual that the editors felt compelled to include an introductory 
note on its controversial nature. Entitled “Crime Deterrent Transpon- 
der System,” it proposed a system whereby “small radio transponders 
would be attached to criminal recidivists, parollees, and bailees to 
identify them and detect their whereabouts.” By tagging likely law- 
breakers, Meyer claimed, we could create “an electronic surveillance 
and command -control system to make crime pointless.” The bio- 
graphical material described Meyer as a New Jersey native born in 
1929 who got a math degree from Rutgers, spent two years in the 
air force in the early 1950s, and, from that point, “joined the Depart- 
ment of Defense, where he has worked primarily in the field of mathe- 
matics, computers, and communications in the United States and 
overseas.” 

Even a moderately seasoned observer could guess that the unspo- 
ken branch of the Defense Department was a three-letter agency 
whose name seldom appeared in print in 1971. Indeed, several weeks 
after the Meyer letter was received, Science magazine confirmed the 
rumors: Joseph A. Meyer worked at the National Security Agency. 

The timing of Meyer’s missive aroused deep suspicions about the 
NSA’s involvement in crushing independent work on crypto. It was 
sent almost at the moment that Vice Admiral Bobby Inman assumed 
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the NSA directorship and began waging the very war that Meyer had 
declared against academic cryptographers. In the succeeding years, 
however, nothing has emerged to contradict Meyer’s claim (vocifer- 
ously seconded by the NSA) that he had received no orders from 
Inman or anybody else to send his notorious letter. (Inman now 
says that on the day Meyer was writing his letter, he was getting a 
“turnover” briefing from the outgoing director, Lewis Allen — and 
the topic of public cryptography never even came up.) The Senate 
Intelligence Committee, looking into the matter, came to that same 
conclusion in 1978, and now even Marty Heilman believes that it’s 
probable that Meyer was simply a loose cannon. On the other hand, 
the NSA conspicuously refused to repudiate the letter, and Inman later 
asserted to Congress that he believed that Meyer’s comments were 
valid ones. 

In any case, the Meyer letter had an immediate effect. Certainly, the 
organizers of the Cornell conference took the letter seriously — after 
all, if Meyer was right, they and the speakers at their conference could 
wind up in jail for simply presenting their research! It turned out, 
however, that the issue of technical data and the export regulations 
had come up a decade before at the society, and, as E. K. Gannett, the 
recipient of the letter, wrote back to Meyer in a fawning letter dated 
July 20, 1977, “All IEEE conference publications and journals are 
exempted from export license requirements under [ITAR] Section 
125.11 (a) (1).” He went on to cite a footnote to that section that 
“places the burden of obtaining any required government approval for 
publication of technical data on the person or company seeking pub- 
lication.” In other words, he was saying, it’s not our problem — it’s the 
problem of those members who dare perform research in the field. He 
expressed his gratitude to Meyer for “bringing this potentially impor- 
tant question to our attention,” and promised to bring the problem to 
the attention of “potentially interested parties.” Sure enough, on the 
same day, Gannett wrote a memo to Dr. Narenda P. Dwivedi, the 
organization’s director of technical activities, suggesting that the IEEE 
should perhaps ensure that the researchers “are aware of the rules of 
the game.” 

On August 20, Dwivedi wrote to researchers at six institutions. “A 
concerned and good-meaning member has drawn our attention to a 
possible violation by authors of ITAR regulations. ... It appears that 
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IEEE and its groups/ societies/ councils are exempt but the individuals 
(and/or their employers) have to watch out.” Dwivedi then offered 
some advice for the new breed of researchers in cryptography: they 
“should refer the paper to the Office of Munitions Control, Dept, of 
State, Washington, D. C., for their ruling.” 

What Dwivedi was suggesting was neatly in line with J. A. Meyer’s 
wishes. But if a researcher submitted a paper to the State Department, 
he or she would effectively yield control of the work to the govern- 
ment. As far as the MIT researchers were concerned, there would be, 
as Science put it, “a censorship system by the NSA over the research 
of the MIT Information Theory Group.” 

One of the recipients of Dwivedi’s letter was Marty Heilman. He 
quickly showed it to Ron Rivest, who was spending his summer break 
at Xerox PARC in Palo Alto, just down the road from Stanford. “It was 
probably my first realization that our work might involve sensitivities,” 
he says. As soon as he got back to MIT, a worried Rivest consulted the 
institution’s lawyers. 

Rivest, of course, was concerned about the legal implications of 
stuffing copies of Technical Memo Number 82 into the self-addressed 
letters with 35-cent stamps as part of the Scientific American “con- 
test.” Was distribution of the RSA paper to the publication’s readers 
an illegal act? Could MIT be held at fault? Could Rivest and Adleman 
be jailed? And what about Shamir — he wasn’t even a U.S. citizen! 
Could MIT be cited for distributing a paper to one of its coauthors? 

“The requests for our paper were from all over the world,” says 
Rivest. “Some were from foreign governments. It wasn’t clear to me 
what we should do. When you receive this sort of ominous note from 
the NSA that this stuff is illegal, you want to be conservative and get 
it checked out.” Rivest even considered the possibility that some of 
the foreign requests for the memo might have been planted to en- 
trap him under the export regulations, making him a poster boy for 
mathematicians who ventured too deeply into the forbidden turf of spy 
agencies. 

An answer came back quickly from the MIT administration — don’t 
send out those papers until this mess is resolved. To their credit, how- 
ever, the heads of the university, sensitive to principles of academic 
freedom, worked diligently to clear the path for a free distribution of 
the tech memo. Despite MIT’s long history of working with national 
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security agencies, often in top-secret research, this wasn’t easy. This 
time it was dealing with the National Security Agency — and at least 
some NSA officials, now face-to-face with an open challenge to their 
crypto monopoly, were themselves running scared. But this time, they 
had clear-eyed foes who believed that intellectual freedom should not 
be compromised on the basis of unproved claims of national security. 
In this new academic research area, new ground rules would be laid 
and most of the major decisions would be made in the early days. After 
setting the precedents, the MIT researchers believed, it would be 
much harder to change things in a fundamental way. 

At Stanford, Marty Heilman also wasted no time getting an opinion 
from the university lawyers. On October 7, university counsel John J. 
Schwartz assured him that “it is our opinion that the dissemination of 
the results of the research you describe is not unlawful.” Of course 
there was the danger that the lawyers were wrong, and the views of 
J. A. Meyer reflected those of the federal government; if so, Heilman 
might be prosecuted for delivering his paper. Schwartz promised that 
if that were the case, the university would defend him. “Nevertheless,” 
he added, “there would always remain a risk to you personally of fine 
or imprisonment if the government prevailed in such a case.” 

In the end, the Cornell conference — the ostensible focus of Meyer’s 
letter — went on as scheduled, including the very talks that Meyer 
had tagged as potential violations of the export rules and a threat 
to national security. It turned out that the professors had more back- 
bone than the IEEE, which had urged them to vet their papers with the 
government. When two of Heilman’s graduate students fretted over 
the implications of getting cited by the government in the tender 
beginnings of their careers, he volunteered to read their papers him- 
self. “I have tenure at Stanford,” Heilman told the New York Times, 
“and if the NSA should decide to push us in court, Stanford would 
back me. But for a student hoping to begin a career, it would not be 
so pleasant to go job hunting with three years of litigation hanging 
over his head.” 

Ralph Merkle spoke at a panel discussion, too. And Whit Diffie, 
who was not scheduled to speak at the conference, went out of his way 
to give a presentation at an informal session. “There was no trouble at 
the meeting,” he says. “My attitude was that the Meyer letter should 
be ignored.” 
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Meanwhile, MIT’s lawyers were still wrangling with the National 
Security Agency over the legality of stuffing Tech Memo No. 82 into 
the 7000 self-addressed, stamped envelopes moldering in Shamir’s 
office and dropping them off at the post office. The academics had 
pointed out that a clause in the ITAR rules put them in the clear: a spe- 
cific exemption on “published materials.” What did The Fort say to 
that ? 

“As usual with NSA, it was hard to get any complete answer from 
them,” Shamir later recalled. More to the point, it became increasingly 
clear that the NSA could not come up with a legal rationale for its 
actions. So MIT allowed its professors to proceed. In December 1977, 
half a year after Gardner’s column appeared and the requests began 
tumbling in, the namesakes of the RSA algorithm invited grad students 
to a pizza and envelope -stuffing party. And then the papers were 
mailed. The RSA algorithm had gone global. 


Perhaps the existence of these thousands of papers circulating around 
the world, in addition to thousands of reprints and photocopies of the 
Diffie- Heilman papers, should have been a signal to the NSA that the 
crypto toothpaste was out of the tube, and no decrees or scare tactics 
could generate the requisite physics to squeeze it back in. But for the 
next few years the agency, perhaps more from reflex than an expecta- 
tion of success, kept trying to suppress the intellectual activity in the 
crypto world that now seemed to be exploding outside the Triple 
Fence. 

In retrospect, the institutional behavior seems strange and con- 
flicted. But what else could the NSA do? The CIA may have had a rich 
and sordid history of bag jobs, honey traps, and other nut-squeezing 
enterprises, but the Fort Meade culture was dramatically different. 
Though the agency had certainly stepped over the line at times (as 
the Church committee documented), the organizational ethos always 
seemed to regard heroism in terms of the highly intellectual tasks of 
sucking up signals, concocting ciphers, and cracking codes. During 
the years that Whit Diffie crisscrossed the nation seeking guidance in 
his crypto efforts, there hadn’t been even a veiled threat against him, 
and certainly no indication that anyone would sneak up behind him 
in a Palo Alto coffeehouse and quietly use the end of a doctored 
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umbrella to inject him with some exotic, slow-acting poison. That just 
wasn’t the NSA’s style. 

A better question would be, “Given that the law might not back up 
the agency, why bother to fight the movement toward research in 
crypto?” Surely some of the smarter strategists within the Triple Fence 
recognized that, in some ways at least, an independent crypto move- 
ment would not be so bad for Fort Meade. Who was better positioned 
to exploit the revolutionary advances in cryptography than the NSA, 
whose expertise and knowledge of the field was infinitely ahead of any- 
thing resembling competition in either the private or public sectors? 

This was the dilemma facing Vice Admiral Bobby Inman literally 
within days after he took his post as director in July 1977. Though 
he had considerable experience with crypto as the director of na- 
val intelligence — and years before that as a military recipient of sig- 
nals intelligence — the idea of outsiders making important cryptologic 
advances was new to him. He had believed, along with most of his 
peers in the intelligence community, that “the NSA had a monopoly 
on talent,” he now says. “If there were incredibly bright people who 
wanted to work on cryptographic problems, the odds were high that 
they either worked inside the NSA, or worked with one of the scientific 
advisory groups [whose work was classified].” This insurgent revolt hit 
him like a fighter sucker punched at the instant the bell rang to begin 
the fight — especially since the furor over Meyer’s letter drew articles 
in the New York Times and the Washington Post. Inman understood 
immediately that not only was this a new sort of threat to his agency, 
but that new, perhaps unprecedented, responses were called for. 

Nonetheless, during the first few months of Inman’s tenure, the 
NSA kept acting as if the rules had not changed. In October 1977, an 
electrical engineering professor at the University of Wisconsin named 
George Davida applied for a patent for a device that used mathe- 
matical techniques to produce stream ciphers. He had produced the 
plans for this invention without any access to classified information, 
and his funding from the National Science Foundation had no strings 
attached to require him to clear his work with any defense agency. The 
patent itself was filed in the name of the university’s Alumni Research 
Foundation, conforming to a process whereby the university commu- 
nity retains the bulk of any invention profits by Wisconsin professors 
funded by the NSF. Davida next heard from the government on 
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April 28, 1978, not with a patent approval but with a piece of paper 
marked secrecy order. The National Security Agency had declared 
his invention classified material. 

It was bad enough that the NSA had banned production of his 
device. Worse was the dilemma in which Davida found himself. The 
order put a clamp of secrecy not only over his device, but over the 
intellectual material behind the patent application as well. In effect, 
the NSA regarded Davida’ s actual ideas as a sort of poison, a forbid- 
den substance he was banned from circulating. Davida had little guid- 
ance as to how he might adhere to the ban, since his materials had 
already been well distributed. Was he really expected to follow the 
requirement to report all the people who might have seen his work — 
in effect, to drag his colleagues into this kafkaesque realm of ideas too 
dangerous to share? On the other hand, if he refused to comply with 
the secrecy order, he was subject to a $10,000 fine and two years in 
the pokey. 

Davida was not alone. On that same day in April, the NSA had 
slapped a secrecy order on the “Phasorphone,” a voice-scrambling 
device created by a team of scientists led by thirty-five-year-old Seat- 
tle technician Carl Nicolai. Five months after applying for a patent for 
an invention that he hoped would make him a fortune, Nicolai was not 
only prevented from selling his invention, but also from even using it. 

In spook parlance, Davida and Nicolai had become “John Does,” 
stripped not only of their work but of the credit due to them. As James 
Bamford explained in The Puzzle Palace, theirs were the relatively rare 
cases in which objectionable inventions were not independently dis- 
covered duplications of devices that already existed behind the Triple 
Fence but original creations that the government unilaterally regarded 
as too dangerous to be produced. 

But as the NSA was to learn, the days were gone when it could 
casually apply a secrecy order to the work of an academic or entre- 
preneur and have the matter closed. Davida and Nicolai went public, 
organizing well-placed letter -writing campaigns, educating their rep- 
resentatives in Congress, and spilling the story to the press. Davida, in 
particular, a compact, scrappy man who was disinclined to take the 
U.S. government at its word, was strident in his own defense. In his 
case, a quick meeting of university officials led the chancellor to write 
a furious letter to the NSF, demanding due process. The chancellor 
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also brought the matter before Commerce Secretary Juanita Kreps, 
who was apparently dismayed at how easily her patent office could 
become an instrument of censorship. Meanwhile, Davida raged to Sci- 
ence magazine that the NSA’s actions were a form of academic 
McCarthyism. 

The NSA backed down. On June 13, it rescinded the order. Vice 
Admiral Inman’s later explanation, offered during a House hearing on 
“The Government’s Classification of Private Ideas,” was that the 
Davida decision was a mistake by a middle-level employee. 

Several months later, the restrictions on the Nicolai patent were 
also reversed. Since Inman himself had signed off on that secrecy 
order, he later offered a “heat of battle” excuse to the House subcom- 
mittee. “From dealing day to day with the Invention Secrecy Act, you 
have to make snap decisions,” he explained. Overall, he insisted that 
the problem with those two orders was “not a faulty law but inade- 
quate government attention to its application.” Still, that double 
rebuke made it clear that the NSA no longer had free rein in using the 
law to keep crypto in government -approved sealed containers. 

By then Inman had decided to take his concerns directly to the 
institutions he was worried about. In what David Kahn called a “soft 
sell” attempt to quash work in cryptography, he embarked on a tour 
of research institutions. One memorable session occurred in the fac- 
ulty club at the UC Berkeley campus, where Inman’s attempts at 
explaining his point of view were met by relentless, hostile question- 
ing. “It was a dialogue of the deaf,” he says. Still, some comments 
made at the session led him to believe that a more productive rela- 
tionship was possible. In an extraordinary move for an NSA director, 
he phoned Marty Heilman and asked for a meeting. “I liked him,” says 
Inman of the coinventor of public key crypto and DES’s most virulent 
critic. “I think he was impressed that I had driven down to see him, so 
his answer [to the request to begin a dialogue on how public crypto 
should be handled] was a tentative yes.” 

Inman tried to diffuse the most blatant of the NSA’s restrictive acts 
against researchers, many of whom believed that, more than ever, the 
NSA was trying to lure them behind the Triple Fence, where their find- 
ings could be restricted. One of those who learned this firsthand was 
Len Adleman, the once -reluctant “A” in the RSA algorithm. For years 
Adleman had been receiving research funds from the NSF, routinely 
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renewing his grants every three years. In the first proposal he filed 
after being involved with the RSA algorithm, he included a section 
outlining some work involving mathematics that might apply to cryp- 
tography. After fielding the normal questions on such a proposal — 
budget questions and the like — Adleman was startled by a phone 
call from an NSF official informing him there would be additional 
changes. Specifically, the portion of the work that involved crypto 
would be funded by the National Security Agency. 

“I didn’t submit a proposal to the NSA,” Adleman told him. “I 
submitted it to the NSF, right?” 

The official conceded that this was so. But, he said, “It’s an inter- 
agency matter,” and ended the conversation. 

Adleman was incensed. He understood that there might be le- 
gitimate national security concerns about the direction of academic 
cryptography. (What if someone suddenly released a means to crack 
an important code?) But this was over the line. It meant that the coun- 
try’s most secretive intelligence agency was influencing the premier 
scientific funding agency. “In my mind this threatened the whole mis- 
sion of a university, and its place in society,” he says. Adleman decided 
to go public with his concerns. He called Gina Kolata, the reporter for 
Science who had been covering the conflict, and told her the story. 

Not long afterward, Adleman got another call — from Bobby Inman 
himself. The whole thing, explained the director of the National Secu- 
rity Agency, was a misunderstanding. “He was very nice,” recalls 
Adleman. The researcher wound up getting his entire grant funded 
by the NSF. 

For Inman, such compromises were in the service of eventually 
reaching some sort of detente with the academics that would satisfy 
both national security concerns and the researchers’ insistence on aca- 
demic freedom. He believed that, ultimately, he held the trump card — 
one that would not only force the academics to play ball but also 
actually stem the potential tide of actual crypto implementations from 
covering the world. This winning hand lay in the laws known as the 
International Traffic in Arms Regulation. When Inman first arrived at 
The Fort, he told Congress at a hearing some years later, “I didn’t 
even know what an ITAR was.” But, he added, “my education went at 
a pretty fast pace.” 

Specifically, he now says, he came to realize that when it came to 
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controlling crypto late in the twentieth century, “the whole issue is 
export.” Those laws were all that prevented a disastrous free-for-all in 
the distribution of cryptography — the equivalent of a national security 
meltdown. Inman recognized that restrictions on what could be 
shipped overseas, and the threat of prosecution if those laws were bro- 
ken, would force people to deal with the NSA not only in what they 
were permitted to export, but in what they produced for domestic use. 
Those regulations would become the linchpin of the agency’s efforts 
to stop worldwide communications from becoming ciphertext. 

Ironically, the NSA’s own attempts to control private research about 
cryptography had set events in motion that threatened to thwart those 
regulations. The then-White House science advisor was a man named 
Frank Press. The controversy over public crypto had piqued his inter- 
est, and he asked the Justice Department to provide a legal opinion as 
to whether the ITAR laws violated First Amendment free-speech pro- 
tections. The job fell to an assistant attorney general named John Har- 
mon, who carefully analyzed the way the regulations were drafted. He 
discovered that ITAR required a license not only from arms dealers, 
but also from “virtually any person involved in a presentation or dis- 
cussion, here or abroad, in which technical data could reach a foreign 
national.” Presentations and discussions? That was the First Amend- 
ment turf! On May 11, 1978, the Office of the General Counsel issued 
its opinion. It was a bombshell: 

It is our view that the existing provisions of the ITAR are 
unconstitutional insofar as they establish a prior restraint 
on disclosure of cryptographic ideas and information devel- 
oped by scientists and mathematicians in the private sector. 

Inman was furious at this analysis, and he set about to fight it. He 
recruited “a brilliant new lawyer that I had persuaded to come work 
for NSA” to argue against the opinion. One gambit was to claim that 
a recent legal precedent had rendered the Harmon opinion moot. But 
a Justice official rebuffed that interpretation. “We do not believe that 
[the precedent] either resolves the First Amendment issues presented 
by restrictions of the export of cryptographic ideas or eliminates the 
need to reexamine the ITAR,” wrote deputy assistant attorney general 
Larry Hammond. 
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Meanwhile, the NSA was treading a fine line. It was attempting to 
threaten crypto researchers who circulated their findings and ideas 
while it was fully aware that the Justice Department had concluded 
that such threats violated the Constitution. 

All of this wrangling was conducted out of the public eye. And none 
of it seemed to have affected the way that the NSA chose to interpret 
the export laws. So even though Vice Admiral Inman’s sharp young 
counsel was legally unable to overturn John Harmon’s findings, the 
attack against his opinion was effective. Because by not circulating its 
judgment in the matter, the Justice Department was effectively collud- 
ing with the NSA to ignore the possibility that its enforcement of the 
ITAR regulations violated the Bill of Rights. 

All of this came out in 1980, when the government operations sub- 
committee of the House of Representatives held hearings on “The 
Government’s Classification of Private Ideas.” At one point, the com- 
mittee staff director, Tim Ingram, posed a pretty good question. “How 
would I know, as a private litigant somehow ensnarled in the ITAR 
regulations, that I am being involved in a matter that the Justice 
Department, two years previously, has declared unconstitutional?” he 
asked. A Justice official explained that the opinion hadn’t been offered 
for the benefit of such citizens, but simply as advice to the department 
itself. 

This was not acceptable to Ingram. Perhaps thinking of the Rivests 
and Heilmans who had been threatened with jail for presenting their 
papers, or the Davidas and Nicolais who had been confronted with 
secrecy orders, or all the current researchers like Adleman who were 
now encountering more subtle pressures, Ingram had another ques- 
tion to ask: 

You have this two-year-old opinion finding the regulation 
unconstitutional. There has been no change in the regula- 
tions. Is there any obligation on the department at some 
point to go to the president and force the issue and to tell 
the president that one of his executive agencies is currently 
in violation of the Constitution? 

No satisfactory answer was forthcoming. In any case, Bobby Inman 
was worried about the new movement in cryptography and his limited 
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power to stem it. His worst fear was that public adoption of encryp- 
tion “would very directly impact on the ability of the NSA to deliver 
critical information.” He became convinced the agency needed a more 
formal authority to regain the controls over crypto. In his attempt to 
obtain this, he did something no one in his place had ever done. He 
went public. 

His chosen venue for this debut was Science magazine, the most 
aggressive press watchdog over the past few years. Of course, the very 
fact that the interview was granted was news in itself. The article 
quoted F. A. O. Schwarz, who had been chief counsel in the Church 
investigation, as saying, “I’m flabbergasted. Back when we dealt with 
the NSA, they considered it dangerous to have even senators ques- 
tioning them in closed session.” But there was news in Inman’s mes- 
sage, too — the NSA director was now openly extending his invitation 
for researchers to engage in “dialogue” with him and his people. One 
motive I have in this first public interview,” he said, “is to find a way 
into some thoughtful discussion of what can be done between the two 
extremes of ‘that’s classified’ and ‘that’s academic freedom.’ ” But in 
almost the next breath, he conceded that if he got his way — and was 
able to censor academic research that involved national security — his 
proposed “thoughtful discussion” would probably end in “a debate 
between the Administration and the academic community” (one in 
which presumably the pissed-off college professors wouldn t have 
much of an impact on making the government change its national 
security policy) . 

A few weeks later, Inman made an even more extraordinary break 
with the NSA’s tradition of secrecy. He actually delivered a pub- 
lic speech in defense of his agency. True, the venue wasn t exactly 
hostile — it was the January 1979 gathering of a trade association of 
electronics manufacturers who dealt largely in defense contracts. Yet 
the very fact that he was doing it represented a sea change that could 
provoke vertigo in even a vice admiral like Bobby Inman. He acknowl- 
edged this in his very first words: “A public address by an incumbent 
director of the National Security Agency on a subject relating to 
the agency’s mission,” he said, “is an event which — if not of historic 
proportions — is, at least to my knowledge, unprecedented.” In fact, 
just a few years previous, merely uttering the name of the agency 
would have been unprecedented. 
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Now Inman was frankly admitting that the world had changed, and 
not by his choice. He referred wistfully to the days, only now gone, 
when his people “enjoyed the luxury of relative obscurity,” remaining 
closemouthed about their work to spouses and even office mates . . . 
the days when NSA “could perform its vital functions without reason 
for public scrutiny or public dialogue.” But now, in what he called “the 
encounter between the NSA and the rest of the world,” a new era had 
begun, where the NSA’s happy life spent “entirely in the shadows” was 
replaced by an era of “complex tensions” between the government and 
those wishing to communicate securely. Inman’s hope for his talk was 
to explain the NSA’s point of view on those tensions, the better for 
people to understand why it was, well, necessary to do things his way. 

Trust the NSA? Yes, said Inman. His people had gotten a bad 
rap recently, and he wanted to set the record straight. Did his agency 
cook the specifications for DES, perhaps inserting a trapdoor? No 
way. Did the NSA use export regulations to suppress scholarly work? 
Uh-uh. Exert influence to quash research grants? Please. The NSA, he 
insisted, was anything but “some kind of all-powerful secret influ- 
ence.” In fact, that was the problem: while outsiders griped about a 
mighty spy agency with too much power over cryptography, “My con- 
cern,” said Bobby Inman, “is that the government has too little.” 

In a way, Inman had an excellent point; despite being the richest 
intelligence agency on the planet, the NSA was relatively toothless. But 
for its first decades of existence, the agency hadn’t needed laws of its 
own. Its advantages included not only the force of law but the fact that 
sophisticated cryptography was a devilishly specialized field, one that 
few people attempted to engage in, and even fewer could gain suffi- 
cient knowledge in to be a player. It was nearly inconceivable that 
outsiders, or even small governments, could compete with its fire- 
breathing computers, its world-class mathematicians, its unparalleled 
experience, its understanding of crypto history. But then came the 
Whit Diffies of the world — mathematically knowledgeable, with access 
to computers, and knowledge gleaned from books like David Kahn’s, 
books that the NSA had failed to suppress. Now there were dozens of 
them, academics like Ron Rivest and potential entrepreneurs like Carl 
Nicolai. These outsiders were backed by a cadre of civil libertarians, 
screeching that crypto breakthroughs could strike a blow to Big 
Brother. And suddenly, even the weak-hearted attempts of the NSA to 
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stop the tide were being demonized on the front page of the New York 
Times. In Inman’s view, the victim was not free speech, but national 
security. 

But Inman’s proposed solution — a national sacrifice of free speech 
to preserve the national security — was doomed. He wanted trust. If he 
were to get academics to consciously forgo their freedom of speech, 
he needed trust. If trust were currency, though, the NSA’s balance 
would be roughly zero. It had never even bothered to open an bank 
account! It would take more than historic speeches by a sitting direc- 
tor for the NSA to figure out how to manipulate the increasingly out- 
of-control beast of nongovernmental crypto. 

As far as stopping academic research in cryptography, Inman lost 
that round. Despite his attempts to get Congress to grant the NSA 
legal authority to suppress publications, the First Amendment pre- 
vailed. Most impressively, the exemption in the ITAR for “technical 
publications” was clarified to the point that even a Fort Meade appa- 
ratchik couldn’t call it ambiguous. “Provision has been added,” went 
a 1980 revision of the rules, “to make it clear that the export of tech- 
nical data does not purport to interfere with the First Amendment 
rights of individuals.” 

Bob Inman ultimately did forge a sort of compromise with the 
research community. At the NSA’s request, the American Council on 
Education organized a Cryptography Study Group to seek common 
ground. The group, which included both the NSA’s general counsel 
and a host of academics, including critics Marty Heilman and George 
Davida, held its first meeting in March 1980 to consider Inman’s pro- 
posal that some sort of statutory review process be imposed on private 
crypto researchers. The group rejected the idea, citing First Amend- 
ment considerations and the NSA’s inability to show evidence that such 
laws were absolutely necessary to defend the nation. The group’s alter- 
native solution was a two-year experimental process by which those 
publishing work with relevance to cryptography could voluntarily sub- 
mit papers to the NSA for review. If the NSA read the paper and felt 
that the information would somehow compromise national security, 
the researcher could consider such warnings and decide for himself 
whether or not to publish. Meanwhile, the agency would continue to 
fund the research of professionals willing to follow its rules, while 
allowing others to pursue funding by the NS F or any other agency. 
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George Davida issued his own minority report, rejecting even vol- 
untary review. He dismissed the NSA’s concerns outright, including its 
worry that research results might help foes crack our own crypto- 
systems. “This is not likely,” he wrote, “because researchers do not 
engage in cryptanalysis.” His conclusion was “the NSA’s effort to con- 
trol cryptography [is] unnecessary, divisive, wasteful, and chilling. 
The NSA can perform its mission the old-fashioned way: STAY 
AHEAD OF OTHERS.” 

Nonetheless, the policy worked quite well from the point of view of 
researchers, since this meant that there was a way to deal with the 
NSA — or ignore it — without having to worry about getting their work 
deemed a government secret. The two-year trial period of this policy 
passed peacefully, after which the NSA quietly dropped any pretense 
of demanding a presubmission of anything produced by an American 
academic. It faithfully read papers in the field submitted voluntarily, 
and one of its scientists would occasionally address a question to an 
author, even pointing out a mistake here and there. It was all done 
cordially, because the NSA had no authority to go further than that. 

As the 1980s began, the first decade in the NSA’s existence when it 
had private competition, no one understood the challenge better than 
Bobby Inman, whose agency was charged with routinely intercept- 
ing foreign communications concerning the Iran hostage crisis and 
the Russian war in Afghanistan. He was haunted by the idea that 
one day Fort Meade would not be able to deliver such high-quality 
intelligence — because cryptosystems conceived and developed in the 
United States would be put into widespread commercial use. “I began 
to appreciate the export concern much more strongly,” he says. In a 
world where the basic concepts behind sophisticated encryption were 
found in public libraries and articles in Scientific American, and where 
a cryptosystem endorsed by the government itself — DES — was turn- 
ing out to be more popular than the NSA expected, it was more impor- 
tant than ever to stop crypto at the border. The NSA director had it 
pegged: the whole issue is export. 

Diffie, Heilman, and the MIT trio might have broken the NSA 
monopoly, but Inman and his successors were not without their weap- 
ons. In a way, the war over crypto was only beginning. 
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for the next few years, tensions seemed to ease between the gov- 
ernment and the newly emerging independent forces in the world of 
crypto. After Bobby Inman’s unsuccessful campaign to censor crypto 
researchers legislatively, the agency seemed willing to coexist with 
academics treading on turf it once had owned exclusively. There might 
have been some wishful thinking in all of this, a sense at the N SA that 
all of these greenhorn academics were unlikely to turn up anything 
that might truly threaten The Fort’s mission. If the bureaucrats behind 
the Triple Fence believed that, though, they were in deep denial. The 
seminal breakthroughs at Stanford and MIT had turned a beacon 
upon the imaginary crossroads of crypto, where mathematics, com- 
puter science, and data security met. In 1971, when Whit Diffie 
wanted to talk to someone about crypto, he had to travel miles for 
morsels. A decade later, over a hundred members of the new crypto 
community were spending days together on a Pacific beach, dis- 
cussing everything from cutting-edge algorithms to cryptanalysis. 

The “Crypto” conferences began in 1981, when a University of 
California at Santa Barbara electrical engineering professor named 
Alan Gersho invited about 120 potential attendees to his campus, a 
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sprawling collection of modest structures on a bluff overlooking the 
ocean. He’d gotten the names from a list Len Adleman had compiled 
of people who’d shown an interest in nongovernmental cryptography. 
Gersho had wheedled a grant from the National Science Foundation 
to stage the event. About one hundred people showed up, including 
Diffie, Rivest, Merkle, and other newly minted luminaries in Cipher 
Land. They delivered papers — many of them offering refinements on 
the new public key schemes like knapsacks and RSA — gave talks, and 
schmoozed at cafeteria lunches and a barbeque on the beach. Gersho 
had planned the conclave as a one-time gathering, and despite the 
excitement, there were no immediate plans for a follow-up. Not long 
afterward, some European cryptographers held an invitation -only 
meeting in Germany, but that was also designed to be a stand-alone 
event. 

It was a then-minor player in the Santa Barbara shindig, a mere 
graduate student, who actually took the lead in making sure that such 
meetings would be held regularly. His name was David Chaum, and 
he would not be a minor player in the field for long. Working with no 
support, he got a copy of Adleman’s list of crypto academics and 
began organizing a return to the beachfront campus. Chaum also felt 
that the overseas event should be repeated, but under a different group 
of leaders. He hadn’t been invited to the German meeting but had 
gotten the impression that its organizers were “a little off to the 
right.” So he talked to some European cryptographers about organiz- 
ing an annual spring “Eurocrypt.” Finally, Chaum thought that both 
yearly shebangs should be under the care of an actual organization of 
independent cryptographic researchers. He quietly made plans to 
form such a group. His inspiration was a speech by Martin Luther 
King Jr. he’d once heard that emphasized the word “organization” as 
a path to liberation. 

Concerned about possible pressure from the NSA to smother his 
plans in the bassinet, Chaum kept his communications to a minimum. 
You never know who’s listening, especially in a government of snoops. 
He took care to compartmentalize the information he discussed with 
people: while he landed Ron Rivest to chair the Santa Barbara confer- 
ence program, for instance, he didn’t share his plans for the crypto 
society with Rivest. He avoided the telephone, instead arranging face- 
to-face meetings with those he wanted to reach. He typeset the con- 
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ference notices himself, and got them printed at the same small Berke- 
ley type shop that produced Covert Information Bulletin, a well-known 
newsletter critical of U.S. intelligence activities. 

His efforts paid off: the second conference, Crypto ’82, turned out 
to be even more exciting than the first. Serendipitous events, like the 
freewheeling “rump session” held toward the end of the week, solidi- 
fied into traditions. The rump sessions, usually hosted by Diffie, mixed 
frivolous parodies of mathematics papers with serious, last-minute 
cryptological developments, but the tone was often raucous and ir- 
reverent. One year, speakers were required to speak in a code that 
replaced certain words with silly alternatives (for instance, instead of 
“Diffie-Hellman,” you had to say “Coke bottle”). Missed cues were 
greeted with a shower of water. Another year, some foreign visitors 
took too literally Diffie’s announcement that there would be a special 
session before breakfast the following morning with ninety minutes of 
Belgian jokes. 

One well-anticipated session at Crypto ’82 was the presentation of 
a collection of papers on cryptanalysis, chaired by Whit Diffie. The 
very inclusion of the topic on the agenda couldn’t have pleased the 
NSA: in its view, any knowledge of codebreaking outside the Triple 
Fence represented a possible threat to its own codes. Diffie himself 
had been worried that the session would be a bust. Over the winter he 
had arranged for the presentations. But one by one, for various rea- 
sons, his presenters dropped out. By late spring only one survived — a 
talk entitled “The Bombe at Bletchley Park,” by one of the original 
World War II codebreakers. 

It was Adi Shamir who came to the rescue. Shamir had been study- 
ing Ralph Merkle’s knapsack scheme for public key cryptography. 
And now, several weeks before the conference, he thought he had 
broken it, at least the weaker variation of the system known as the 
single-iteration knapsack. In the days following his announcement, 
others figured out a way to use his techniques — which themselves 
were based on mathematical innovations discovered by Hendrick 
Lenstra — to launch wider attacks. Diffie’s panel would be the ideal 
time to test these ideas. So by the time the cryptographers met in 
Santa Barbara that summer, Diffie’s program was filled with would-be 
assaults on knapsacks. 

The most interesting one would be Len Adleman’s. He not only had 
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come up with a variation on Shamir’s ideas, but had also actually pro- 
grammed the technique on his Apple II personal computer. The cryp- 
tographers in Santa Barbara decided to try a little experiment. During 
the first night of the conference, a gauntlet was tossed to Adleman — 
an encrypted knapsack message. Could he use his little machine to 
decode it? (If so, he would presumably collect the $100 reward 
Merkle had offered some years earlier.) The answer would come a 
couple of days later, right there in Diffie’s session, when Adleman’s 
attack would either bring him new glory — or leave him mortified in 
front of his crypto contemporaries. 

Adleman was scheduled to speak last. “The hour passed,” Diffie 
later recounted. “Various techniques for attacking knapsack systems 
with different characteristics were heard; and the Apple II sat on the 
table waiting to reveal the results of its labors.” When Adleman came 
forward to speak, he appeared anything but confident. He said he’d 
give “the theory first, the public humiliation later.” (He subsequently 
would explain that the humiliation he referred to was not Merkle’s but 
his own, if “the numbers didn’t turn out right.”) Then he proceeded 
with a description of his methods. While he talked, Carl Nicolai (the 
inventor whose crypto device had been temporarily suppressed by an 
NSA secrecy order in 1978), fiddled with the Apple II, which had been 
working away for the past few days, using Adleman’s formula to crack 
the encrypted message. Before long, Nicolai began painstakingly copy- 
ing a screenful of numbers from the Apple’s monitor onto an over- 
head-projector transparency sheet. 

Finally, Adleman finished describing how his attack worked. It was 
time to see whether it worked. Nicolai gave the transparency to Adle- 
man, who handed it to Adi Shamir. He also gave Shamir the sealed 
envelope with the numerical message encrypted earlier in the confer- 
ence. Shamir placed the sheets side by side in the overhead, beaming 
the results on the screen. They matched precisely. 

Diffie would later write that “the public humiliation was not 
Adleman’s — it was the knapsack’s.” Indeed, this crack was the pen- 
ultimate blow in what would turn out to be the utter destruction of the 
groundbreaking, clever, yet ultimately useless Merkle knapsack public 
key cryptosystem. The coup de grace was instigated by Merkle him- 
self. Paying the $ 1 00 to Adleman had not been particularly traumatic; 
Merkle had half expected someone to break the single-iteration knap- 
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sack scheme, which was the much weaker cousin of the real thing, the 
multiple -iteration version. In fact, Merkle felt secure enough to cast 
another challenge. In November of that year, he wrote a letter to Time 
magazine, offering $1000 to the first intrepid cryptanalyst who suc- 
cessfully decoded a multiple -iteration knapsack. Two years later, 
Merkle had to write a check for a cool grand to a researcher from San- 
dia National Laboratory named Ernie Brickell, who used a govern- 
ment Cray supercomputer to rip open a 40-iteration knapsack. When 
later asked what the problem was with the knapsack scheme, Merkle 
was succinct: “It didn’t work.” 

The significance of the knapsack attacks went far beyond the 
destruction of Merkle’s system. In fact, the moment at which Len Adle- 
man’s Apple publicly destroyed a potentially valuable cryptosystem 
could be seen as a symbolic turning point in the still uneasy balance 
between the NSA- affiliated crypto spooks and the swelling ranks of 
outsiders who independently studied the protocols of crypto and rou- 
tinely published their results. It was now clear that simply by sending 
scientists to a conference and subscribing to a few journals, a foreign 
government could get the kind of training in cryptology that was pre- 
viously limited only to a sanctioned elite. It meant that codebreakers 
everywhere would be more resourceful. Only months before, govern- 
ment critic George Davida had mocked the NSA’s calls for prepubli- 
cation review by asserting that the agency’s biggest worry — that the 
outsiders would circulate codebreaking methods — was ridiculous. 
“Researchers do not engage in cryptanalysis,” he wrote. But clearly, 
they did. 

Some at the NSA understood the threat that an independent crypto 
community represented: one of them approached Diffie and glumly 
observed, “It’s not that we haven’t seen this territory before, but you 
are covering it very quickly.” 

The only thing worse for the NSA would be watching the work of 
these academic cryptographers put to practical use. If an industry 
could be built on selling cryptography, and masses of people started 
using coding technologies, then the clear unencrypted signals inter- 
cepted by the NSA’s listening devices — whether cell phone calls or 
computer e-mail and files — would change to a dense white noise, a 
chaotic fugue that the agency’s computers might, with some effort, 
decipher. Or might not. 
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Could crypto be commercialized? Although the common use of per- 
sonal computers, and, later, the Internet, demanded a way to protect 
information and verify who was sending it, the means of getting there 
was at best a rutted path. The bumps and potholes in that road are best 
illustrated by the fortunes (or lack of them) of the company founded 
by Ron Rivest, Adi Shamir, and Len Adleman. As with their landmark 
algorithm, the firm bore their initials. But while the RSA algorithm 
quickly reached an enthusiastic audience, the trajectory of their com- 
mercial operation initially threatened to resemble a busted missile 
launch. 

In fact, despite the rosy predictions of a crypto Renaissance in the 
seminal Diffie-Hellman and Rivest- Shamir -Adleman papers, there 
was little reason in the early 1 980s to believe that serious bucks would 
ever be earned with the technology. Who would get venture capital to 
manufacture crypto products? How would those products be built 
into systems so that one could reasonably be assured that a scrambled 
document could actually be unscrambled by its recipient, or that the 
person receiving a digital signature would have the wherewithal to ver- 
ify it? Nobody knew whether actual paying customers would be will- 
ing to put up with the difficulties that would come with having their 
computers crunch huge numbers for encryption and authentication. 
In fact, nobody knew if a substantial enough set of customers existed 
who were willing to pay for those things at all. “Some people said our 
stuff might turn out to be useful, but it wasn’t clear whether this would 
turn out to be successful in a commercial sense,” says Rivest. 

Still, the universities that had employed the crypto researchers 
hedged their bets by patenting their public key breakthroughs. In 
December 1977, MIT filed for its patent on the RSA algorithm. Ironi- 
cally, the very act of filing for a patent made crypto’s widespread adop- 
tion potentially less likely. There was a definite Catch-22 aspect to 
claiming crypto as intellectual property: if algorithms were patented, 
then they could be used only by those who licensed them from the 
owners (presumably for a fee). But such tariffs might create a disin- 
centive to universal adoption. If crypto was to be useful on a large 
scale, it stood to reason that everyone had to be using the same sys- 
tem, a convergence that would come about much more quickly if the 
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system was free. It was a classic example of the Network Effect, a 
positive feedback loop in which value comes only with ubiquity. If 
everyone wasn’t using the same algorithms, then communicating with 
others in secret would be infinitely more difficult. It would be as if Bob 
had to worry about what brand of phone Alice used before he could 
ring her up. 

Not that this bothered the institutions that helped subsidize the 
public key research. While MIT had only the RSA system as its intel- 
lectual property, Stanford actually pursued a number of patents, rang- 
ing from a general claim for public key crypto to more specific 
implementations, including the Diffie- Heilman key exchange protocol 
and Merkle’s knapsack scheme. 

But the benefits of holding patents would be limited. For one thing, 
the largest current market for crypto — the government — didn’t have 
to pay to exploit either the Stanford or the MIT work. Both sets of 
cryptographers had enjoyed the support of the National Science 
Foundation, and the fruits of such subsidized research were, by law, 
available without charge, in perpetuity, to any and all federal agencies. 
And if that weren’t enough of a handicap, it turned out that both the 
Stanford and the RSA patents were valid only in the United States. In 
the case of both breakthroughs, the researchers had presented their 
findings before actually applying for the patent, an innocent mistake 
that didn’t affect their patent rights in the States but that did (because 
of the way patents are treated abroad) disqualify them from such pro- 
tection in Europe. 

Still, once the patent filings were under way, it became clear to 
Rivest, Shamir, and Adleman that they still had the inside track on 
exploiting those patents. MIT was known to be generous in licensing 
its intellectual properties to the people who actually created them. 
(Any other stance would have risked a faculty revolt.) But the trio 
faced a unique situation: their crypto scheme had the potential to be a 
worldwide standard for privacy and commerce, but so far, the only 
thriving commerce in the field was in the realm of defense contractors 
and the relatively new market for DES -based products for financial 
institutions. In any case, none of the three researchers had any busi- 
ness experience. Nonetheless, they decided to forge ahead, hoping to 
transform their mathematical breakthroughs into something that ac- 
tual human beings could use to communicate. Their hopes were high, 
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and at least one of them thought that a payoff was around the corner. 
Len Adleman splurged on a flashy red Toyota. “It cost three or four 
thousand bucks, a big investment since I was making, like, thirteen 
thousand a year,” he says. “But I thought I would soon have money to 
throw away.” 

One of the problems in the late 1970s was that the most common 
general-purpose computers were too weak to generate good RSA 
encryption. In order to efficiently perform the calculations required to 
generate primes for a key and do all the mathematics required in 
encryption, decryption, and authentication, the MIT professors essen- 
tially would have to build a little computer-within-a-computer (on a 
circuit board loaded with specially designed chips) dedicated to those 
tasks. Rivest, aided by his colleagues, began working on such a device. 
After months of work they came up with hardware that could crunch 
two 50-digit primes in less than a second. 

Then reality sank in. There was no way that these relatively expen- 
sive circuit boards could become a mass-market product. It was 
absurd to assume that millions of people would pay several hundred 
dollars to install a complicated circuit board inside their computers in 
order to participate in a revolution that they hardly understood. 

So in 1981, the MIT trio came up with a more plausible scenario. 
They would put the RSA algorithm on a chip. Semiconductor chips 
could be mass-produced, and when millions of them were churned 
out, their costs shrank. You could even put tiny chips on credit-card- 
sized “smart cards” for people to carry around. 

The timing seemed right. Just a few years earlier, when IBM used its 
vast resources to make history by putting DES on a chip, it had been 
inconceivable that a few academics could attempt such a feat without a 
passel of deep-pocketed investors. Back then, such a feat would have 
been about as unlikely as a few grad students in some random engi- 
neering department deciding to launch a rocket to the moon. But in 
the interim, a Cal State professor named Carver Mead had changed all 
that. Mead, a veteran of the Silicon Valley semiconductor industry, 
was the guru of Very Large Scale Integration (VLSI), a technology 
that shrank what was once a huge computing machine into a thumb- 
nail-size silicon chip. Eager to encourage research in the field, Mead 
had not only published a book on the subject, but helped set up a fab- 
rication facility — known as a fab — to help academics actually build 
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their own chips. At the time MIT was gearing up its own VLSI pro- 
gram, and Rivest signed up to run an experimental project that would 
result in getting the entire RSA process on one of those tiny chips. 

Meanwhile, they continued what had become an ongoing, if unin- 
tentionally comedic, effort to interest a big business mogul — any 
mogul — in the world of cryptography. As math nerds unschooled in 
the niceties of venture capital and unsuited for poker-faced negotia- 
tions, they were at the mercy of any random suit they hooked up with. 
But sometimes they lucked out and met someone who actually con- 
nected with the religion of it all. One such fellow was Pat Cremen, a 
loquacious Irishman who worked for the big Ericsson electronics firm. 
But he, too, was more of a vision seeker than a deal cutter. After exam- 
ining the MIT crew’s algorithms, he broke into rhapsodies about the 
coming age of electronic wallets and virtual money. Rivest and his col- 
leagues were transfixed by that vision, and probably wound up men- 
tally counting the megabucks that would fill their own digital wallets 
when this new world came into being. They traveled to Dublin to pur- 
sue the idea. While the mutual admiration society was morale build- 
ing, it turned out to be nothing more than that. Cremen ultimately 
failed to convince his bosses at Ericsson to put up the bucks. 

Maybe the bosses were right. There is a telling anecdote from this 
period. To implement RSA on a chip, the MIT scientists found them- 
selves on the cutting edge of VLSI chip design. They had to invent 
their own tools, which potentially became valuable intellectual prop- 
erty in and of themselves, stuff that corporations and foreign spies 
might covet. For instance, in order to keep track of the hundreds 
of thousands of logic gates and transistors on the chip design, Rivest 
wound up writing elaborate chip -simulation software to organize 
the project. His program made things much easier when negotiat- 
ing the chaos the scientists were generating on the fifth floor of Tech 
Square — when they would spread out huge layouts of the chip, parts 
of which Adleman had designed, parts of which Rivest had modeled, 
and other pieces that Shamir had created — wondering where this wire 
went or what that transistor did. So much easier, in fact, that it began 
to dawn on the trio that the software they were using to create the chip 
might have as much commercial or military value as the RSA algo- 
rithm itself. 

By creating this valuable technical property, they found themselves 
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in the situation in which they imagined their future customers might 
one day be: possessing secrets worth protecting and in need of a sys- 
tem to protect it. So one night they sat down together and wondered 
whether they should protect all their precious ideas ... by encrypting 
them. Did these pioneers of cryptography indeed use their own system 
to protect their ideas? “I remember our decision was, ‘Naaah, it’s too 
much trouble,’ ” says Adleman. “Too much work to encrypt it. And we 
never did.” The irony was lost on them. But the reality was they were 
harboring big-time hopes for a technology that even its inventors 
considered a pain in the ass to use! 

They all thought that Rivest’s chip -simulation system was a master- 
piece. “We didn’t just throw this thing together and hope that a hun- 
dred thousand things were going to work out,” says Adleman. “Ron’s 
software simulated the chip according to Mead’s rules.” Because the 
simulation was sound, boasts Adleman, “we knew the chip would 
work.” 

But when they tested the actual chip, it didn’t work. Instead of 
crunching primes and other stuff, it did nothing. Adleman blames the 
failure on their overreliance on Carver Mead’s publications. “The 
rules in his book weren’t complete,” he says. But in fairness to 
Mead — who in any case wasn’t working for the MIT trio — the RSA 
project was larger than any he had contemplated to date. While other 
researchers were creating little baby projects like chips that would 
operate streetlights, the MIT people were using advanced mathemati- 
cal algorithms, with huge prime numbers and zillions of calculations, 
to choose keys, encrypt text, decipher scrambled missives, process pub- 
lic keys, and sign messages with digital signatures. So much was going 
on that the silicon “wires” in the chip were, by standards of microtech- 
nology, extremely long, sort of nano -equivalents of transatlantic cable. 
This made it all too easy to place those silicon microthreads too close 
to each other, causing deadly “crosstalk” that would flip bits and ruin 
the calculations. That’s not what you want when performing precision 
math. 

“It had simulated perfectly.” Rivest sighs. “But the fabrication 
process didn’t return working chips. It probably just needed some lit- 
tle tweak in the processor design.” In other words, though the experi- 
ment was a technical failure, Rivest was confident that the system 
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could ultimately work. Still, the failure to produce a working proto- 
type was not a great selling point. 

Nonetheless the three scientists persisted. In 1983, they formally 
joined the world of commerce by creating RSA Data Security, Incor- 
porated (they had originally hoped to call it simply “RSA,” but that 
was the name of a garbage collection company in Maine) . There was 
no product, no customers, and no evidence of demand. And not even 
their dreams at that point flirted with the possibility that one day hun- 
dreds of millions of people would use their new company’s technology 
on a daily basis. 

By that point, Len Adleman was getting fed up with the whole 
process. He felt that he was getting further away from where his tal- 
ents lay, in theoretical math. All the intellectual effort expended in 
squeezing formulas into silicon, he thought, might be better spent try- 
ing to discover Fermat’s last theorem or some similarly epochal chal- 
lenge. Still, he hung in, hoping that if he and his colleagues could get 
their new company on a solid commercial footing, they would cash in. 
Then Adleman, at least, could return to his vocation, gleefully cover- 
ing white-boards with intricate equations that had no discernable 
practical application. 

As mathematicians, they knew that the principle of Occam’s razor 
applied: the shortest solution to the problem was a straight line. But in 
this real-world puzzler of making a business succeed, there were end- 
less detours in getting to point B. “We were clueless on this stuff,” 
says Adleman. Their first CEO was the reluctant Adleman himself, a 
man whose head was clearest when among the clouds. “At various 
times I was the prime mover; other times it was Ron,” he says now. 
(Adi Shamir, in the process of moving back to Israel to work at the 
Weizmann Institute, wasn’t as active.) Adleman naively figured that 
he’d handle this moonlighting lark in the spare moments left over from 
his new post as an associate math professor at the University of 
Southern California. 

They did understand they needed someone with experience to 
advise them. Somehow, they hooked up with a business consultant 
named Ted Izen, who was able to concoct one thing that the three bril- 
liant MIT professors collectively had not managed to produce: a busi- 
ness plan. They also looked to Izen to come up with investors — fast. 


136 | crypto 

After months of delay and revision, the government was expected to 
finally grant MIT the patent for the RSA work. The Stanford patents 
had already been granted; on April 29, 1980, U.S. Patent 4,200,770, 
“Cryptographic Apparatus and Method,” credited Diffie, Heilman, 
and Merkle as the inventors of public key cryptography. And on 
August 19 of that year came another Stanford patent, for the work of 
Heilman and Merkle. Called “Public Key Cryptographic Apparatus 
and Method,” it specifically dealt with knapsacks but more broadly 
claimed to cover any implementation of the public key idea. 

The impending MIT patent built upon those Stanford patents to 
cover the RSA algorithm. If the new company was to succeed, it 
required the exclusive rights to that innovation; otherwise, more estab- 
lished competitors could simply license the RSA work from MIT and 
blow away the company formed by the actual R, S, and A. Here’s 
where MIT’s generosity kicked in. The university agreed to grant 
Rivest, Adleman, and Shamir the exclusive rights to their invention. 
For a price — $150,000. (Generosity goes only so far.) Where would 
these young math professors find that kind of cash? 

Izen delivered the answer: a Reno, Nevada, physician and busi- 
nessman named Jack Kelly. He had a company called Sierra Micro- 
systems in Lake Tahoe that designed chips and which could be a 
potential business partner for this new company. One day Kelly flew 
his private plane to Burbank to meet with the RSA trio. For the 
researchers, the easy part turned out to be convincing him that in an 
emerging information age, a technology like RSA’s was going to be 
absolutely pivotal. The harder part was forging a deal that the novice 
entrepreneurs would feel good about in the morning. Adleman later 
came to view the experience at a philosophical distance. “He was an 
experienced businessman, and I was an inexperienced businessman,” 
he says. “And when that combination gets together, it is often the case 
that the inexperienced businessman gets some experience.” 

Nonetheless, Kelly provided the requisite six-figure sum — 
$225,000 — that RSA Data Security needed to survive. And so, when, 
in September 1983, MIT was granted U.S. Patent 4,405,829, entitled 
“Cryptographic Communications System and Method,” its inventors 
were ready. Nine days later the fledgling company paid MIT the 
$1 50,000 (plus 5 percent of all its future revenues) for exclusive rights 
to the patent. 
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With a real investment and control of its intellectual property, it was 
time to begin behaving like a business, creating and selling uncrack- 
able cryptographic tools to anyone with a computer. With the remain- 
der of Kelly’s investment, they set up an office in Silicon Valley and 
hired a professional manager to run the company. His name was 
Ralph Bennett. He had an impressive resume — he’d worked at respect- 
able companies like Fairchild Semiconductors — and from the point of 
view of the MIT professors, this fifty -something businessman seemed 
as good as anyone else around. 

With Bennett’s help, the company began gathering a workforce, 
including a sharp young marketer named Bart O’Brien. Even to an 
academic like Len Adleman, O’Brien, who had worked for a Florida 
high-tech company called Paradyne, was impressive. He was a slick 
dresser and an aggressive salesman who dreamed of running his own 
business. One day Adleman accompanied O’Brien on a sales call and 
was dazzled at the deft manner with which O’Brien parried the poten- 
tial customer’s objections. 

Having deemed the RSA-on-a-chip scheme too complicated, the 
team’s first product was to be a software program mainly used to 
encrypt e-mail and stored data on personal computers. It would be 
called Mailsafe, a public key cryptosystem that would run on the most 
popular business personal computer, the IBM PC, and its clones. 
Adleman worked on the algorithms and Rivest concentrated on the 
implementation. Though Adleman did not find the work as intellectu- 
ally thrilling as pure theory, he was engaged by the challenge of the 
alchemy of commercial programming, discovering tricks to make the 
math routines run more efficiently. 

Since both professors were working in their spare time, Mailsafe 
turned out to be a long project. During the development period, of 
course, RSA Data Security had no revenues. And Kelly’s investment 
was just about dried up. The situation became increasingly desperate. 
In theory, the company could get income from outside investors or 
advances paid on licensing deals. But under Ralph Bennett, not much 
of that was happening. Some of the people involved with the company 
would later claim that Bennett didn’t understand the nature of high- 
tech start-ups, and he wasn’t ideally prepared to evangelize the 
groundbreaking area of cryptography. In any case, the state of the 
young enterprise was, to say the least, precarious when Bart O’Brien 
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called upon an old Paradyne friend of his named Jim Bidzos to help 
out with sales for RSA. 

At the time, it seemed like just one more random call. But the 
entrance of Jim Bidzos not only changed the future of the company, 
but the technology itself. Crypto had found its first super sales- 
man. And the repercussions would ripple from Silicon Valley to Fort 
Meade. 


Jim Bidzos was an unlikely savior for public key cryptography. The 
closest he came to processing algorithms was figuring out back- 
gammon odds in the high -stakes Las Vegas tournaments he liked to 
frequent. Bidzos was then thirty-one, a Greek national born on Feb- 
ruary 20, 1955, in a mountainous region near the Albanian border: “A 
very, very small village in the middle of nowhere, no roads, maybe sev- 
enty people,” he says. Bidzos’s family had been there for ages; his 
father had taken a bride from a neighboring village in an arranged 
marriage. Bidzos was the second of four children, born in a small 
stone house. In the late 1950s, his father left Greece to do what Bid- 
zos calls “the classic immigrant thing: he didn’t speak the language, 
had no training, no education, no skills, but he joined some people 
from the village who had gone to Ohio.” About two years later, when 
Bidzos was five, he and his mother and siblings followed. 

Young Jim Bidzos took to America quickly. While his parents 
instilled some values from the old country in him, his iconoclastic 
nature seemed to fit the looser pace of American life. A naturally bright, 
though not particularly diligent, student, he breezed through school. 
He describes himself as a rebellious teenager: not necessarily a trouble- 
maker but the kind of kid who made it a point to do precisely what 
he was told not to do. He wound up in the marines. After his military 
stint (though not as a U.S. citizen; he held, and still does, a Greek 
passport), Bidzos attended the University of Maryland. While he 
majored in business, he did take some courses in computer program- 
ming. He claims to have written one of the earliest computer viruses, 
“just to prove it could be done.” After a couple of years at Maryland, 
he took a job at IBM and never went back to school. 

In the early 1980s, he got a visit from a headhunter. Would he 
be interested in working for Paradyne, a Florida firm that made net- 
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working equipment for IBM mainframes? The position was in market- 
ing, but technical skills were required to explain products to customers. 
Paradyne was a fairly buttoned-down company, with almost two foot- 
ball teams’ worth of vice presidents who had come over from IBM and 
had adopted some of the company’s uptight culture: the black shoes, 
the starched white shirts, the feeling that you’ve screwed the pooch if 
you’re the first one to leave on a given day. But Bidzos had learned how 
to play the corporate game. Indeed, he thrived at it, racking up a series 
of promotions. At Paradyne, he also learned how to use an expense 
account. During vacations he’d blow off steam: his passions included 
motorcycle racing, high-stakes backgammon, and women. His journals 
from the seventies are permeated with notations about this woman or 
that. Still in his late twenties, he was living a Hugh Hefner-esque 
bachelor existence. 

This status was endangered only once, by a young woman he began 
dating; Bidzos sensed that she might really be the one. The matter was 
brought to a head by a change in his job situation. Bidzos had been 
getting bored at Paradyne. The white -shirt culture was making him 
nuts; he wanted to be in a less structured, more freewheeling environ- 
ment, with high risks and rewards. To strike out on his own. But when 
he finally cut the cord at Paradyne and began a global marketing firm 
with some friends, his girlfriend uttered the words every confirmed 
bachelor dreaded: it’s now or never. She felt that if they didn’t marry, 
this new venture would take him away. Ever the deal maker, Bidzos 
chafed at being handed an ultimatum. It would be submitting to her 
terms. He would never get married under pressure, even to a woman 
he loved. So it was over. 

His girlfriend had been right about the lifestyle: his new job selling 
high-tech equipment to international customers and his own services to 
clients was all-consuming. Almost every month he’d go to Europe or the 
Far East — some months he’d hit both continents, a global ricochet — 
staying in the best hotels, dining in the best restaurants, choosing the 
priciest wines, and doing the deal, always doing the deal. Then he hit a 
wall. Was this to be his life — on the road all the time, looking for the 
next client? He began to ponder his lost love affair. He quit the com- 
pany and began working on freelance marketing projects. If he needed 
a few bucks, something would come up. He was bored with Florida by 
this time and wanted to move to California. A firm for whom he’d sold 
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IBM-compatible computer terminals offered him a job that would take 
him west, but he wasn’t interested. The president of the small company 
came back with a counteroffer. “I know you want to come here,” he 
said, “and I know you like my receptionist, so if you come and work for 
me two days a week, I’ll pay for the move — just give me six months.” 

The guy had pegged Bidzos right — he did like the receptionist — so 
he was in California by August 1985. Then he got in touch with his 
friend Bart O’Brien at RSA Data Security. 

O’Brien had mentioned RSA to Bidzos back in May, had even Fed- 
Exed him a business plan. But Bidzos, who’d been about to leave on a 
five-week trip to Europe, couldn’t make any sense of it. He’d forgot- 
ten about it in the excitement of his travels. When he returned to his 
Florida apartment there were a few more envelopes waiting for him, 
all of which contained new and different RSA business plans, which 
apparently reversed course quicker than a backgammon game. Obvi- 
ously, this strange new company was a work in progress. 

But O’Brien kept pushing. He invited Bidzos to stop in San Fran- 
cisco on his way back from a trip to the Far East. Bidzos had barely 
arrived when O’Brien immediately embarked on a business trip of 
his own, leaving Bidzos with the keys to his apartment and car and a 
mandate to stay for a week and have some fun. Naturally, Bidzos took 
to Baghdad by the Bay, and began to make frequent return visits. 
O’Brien used these opportunities to ask for advice on RSA’s revolving 
business plans, and to solicit ideas on raising money. “You should 
come here to work,” O’Brien kept saying. 

Bidzos wasn’t quite ready for that, but he began to spend more 
time doing freelance projects for RSA, writing up a marketing plan 
and studying the possibilities of selling the entire system to IBM. The 
more he learned about the company’s mysterious product, the more 
intrigued he got. Despite being a motorcycle -racing, woman-chasing, 
wine -quaffing, high-risk gambler, Bidzos also had an intellectual 
streak, and he got a huge kick out of hanging out with the engineers, 
and particularly the cryptographers. 

One amazing night in late 1985, he met the most brilliant guy of all: 
Whit Diffie. Bidzos joined a group of RSA people treating Diffie to 
dinner at a Mexican restaurant at the Stanford Mall. The company 
had long been urging the public key inventor to become its chief sci- 
entist (at one point Diffie had even accepted, but wound up holding 
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off until the company got more funding). The group included 
O’Brien, Ralph Bennett, and A1 Alcorn, who’d been a key figure in the 
early days of Atari and Apple; RSA had been wooing him to join the 
company as well. Bidzos was dazzled at the conversational interplay 
between the brainy Alcorn and the enigmatic Diffie. After some cur- 
sory discussion about RSA’s future, the two minds just sort of hooked 
up and Bidzos grooved on the conversation like an uptown hipster 
wanna-be who’d sneaked into a secret jam session between Miles and 
Trane. 

As the group broke up, Bidzos asked Diffie if he might be available 
for lunch sometime to talk more. “I’m always available for lunch,” said 
Diffie. Over the next few months — years, really — Bidzos would take 
Diffie out for meals in Palo Alto and Berkeley for what was essentially 
a roaming tutorial in cryptography, public key, privacy, and politics. 
He eventually became quite knowledgeable on crypto’s fine points. On 
the other hand, Ralph Bennett — at least as far as Bidzos could tell — 
didn’t seem to be as charmed by Diffie. And vice versa. Bidzos recalls 
one lunch with the three of them at which Diffie began eyeing Ben- 
nett’s ham -and -cheese croissant sandwich. The stare was so intense 
that Bidzos was sure that Diffie was about to lunge at the food. Ben- 
nett must have noticed, too, because he offered Diffie a piece. Diffie 
declined, but kept staring at it. Suddenly, the long-haired, bearded 
cryptographer pulled out a large knife he’d been carrying, pulled the 
plate toward him, and whacked off half the sandwich. Then he calmly 
ate it. God knows what Bennett thought about that. But it obviously 
wasn’t a bonding moment. 

Bidzos soon realized that this little company trying to sell a crazy 
product to scramble computer data was in huge trouble. They had yet 
to ship a product or even license an algorithm. Operating expenses 
were murderous. The rent alone was a huge burden. O’Brien, ever the 
optimist, had rented the company a huge space in Redwood City near 
the Bay, just across from Oracle. It was the size of a soccer field, even 
though layoffs had left fewer than five employees. 

There was another potential land mine waiting to explode. It 
involved a loan from an investment banking operation run by two guys 
in New York. One was an Italian named Vinnie, who spoke with a pro- 
fusion of disses and dats. His associate was a more soft-spoken Jew- 
ish fellow named Steve. They liked to hold meetings at Kaplan’s Deli 
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in New York City. Though everything was on the up-and-up with 
these two, they still seemed like escapees from an Elmore Leonard 
novel. 

Drawing upon a list of about fifty investors (including, Bidzos says, 
dozens of New York doctors, dentists, and the comedian David Bren- 
ner), they had loaned RSA half a million dollars in December 1985. 
But RSA Data Security went through the money like a sugar -toothed 
eight-year-old gobbling Halloween candy. The $500,000 had barely 
been counted before it was almost gone, drained by accrued salaries, 
debt, and a bridge loan to cover operating expenses. The company was 
going bust. 

If that wasn’t enough to worry about, Bidzos then learned that 
Ralph Bennett, a Scientologist, had indicated that he might transfer 
his own considerable shares in the company to that organization. This 
would have made the Church of Scientology one of the biggest share- 
holders in the company — and the keeper of modern cryptography. 

Oddly, one thing that was not considered a problem at the time was 
the possibility that RSA, by launching a new and powerful form of 
cryptography into the growing ether of computer communications, 
might alienate the National Security Agency, or provoke a response 
from law enforcement agencies that felt threatened by the advent of 
cryptography. “Bart and Ralph understood the NSA had an interest in 
this sort of thing,” says Bidzos. “But they saw the agency as a poten- 
tial customer.” As far as the visible lack of interest from the NSA 
itself — no queries or threats had emerged from behind the Triple 
Fence — Bidzos came to believe (correctly, as it turned out) that the 
spooks had figured that the smartest course of action would be to 
leave RSA alone . . . because the company almost certainly was falling 
apart on its own. 

“Bart was just lost and didn’t know what was happening,” says Bid- 
zos. “He’s an optimist and a very enthusiastic fellow, and he was going 
to do a $ 1 0 million deal with every computer company in the world. 
But there were no prospects of making money anywhere.” Even so, 
drawn by the big-idea-ness of it all, Bidzos found himself more and 
more interested. In mid- January 1986, he agreed to accompany 
O’Brien to Boston to brainstorm with Rivest about the company’s 
problems. They flew on People Express, a discount airline with all the 
frills of a Greyhound Bus route on the Texas plains. The night before 
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the meeting he and O’Brien went over the numbers, which looked 
bleaker than ever. It appeared that the flag bearer for public key cryp- 
tography might die without ever even raising the damn flag. Some 
revolution. 

In Rivest’s office the next day, Bidzos laid out the whole mess, 
scrawling the specifics on his blackboard. At first Rivest’s attitude 
was . . . professorial. After hearing the bad news, he sighed and said, 
“Oh, gee, I’d really hoped it would do well.” Bidzos tried to tell him 
that he simply wasn’t getting it. RSA’s failure wasn’t analogous to not 
winning some academic honor. There were consequences. When you 
take money from people, there’s a different kind of accountability. 
They all could be sued. Finally, as Rivest began to get the picture, he 
began to flip out. 

Then they got Adleman on the phone in Southern California. After 
hearing how dire the circumstances were, the mathematician once 
again realized why it was so much more pleasant dealing with theo- 
retical problems in number space. So he decided to make his involve- 
ment theoretical. “I resign from the board of directors,” he said, and 
hung up. 

Years later, Adleman was philosophical about his role. “A large part 
of why the company wasn’t working was me,” he said. “In the begin- 
ning, RSA was a nonentity; it existed on paper but didn’t really exist. 
Somebody had to pick up the ball, and there was good news and bad 
news in my picking it up. If I hadn’t, the technology would have been 
picked up by someone else, and the patents would have gone to some- 
one else. But while I gave birth to RSA to a certain extent, I didn’t do 
a good enough job to get a baby out that didn’t have some serious 
defects.” 

After O’Brien and Bidzos returned to California, they hired a man- 
agement consultant who worked with them to try to find a way 
through the mess. As the meetings progressed, the consultant com- 
mented that Bidzos’s ideas seemed both inventive and practical. A 
crazy idea crossed Bidzos’s mind: maybe he should be running things. 

Even now, Bidzos cannot come up with a coherent sense of the rea- 
soning that led him to join the endangered company full time as the 
instrument of its salvation. Indeed, in the months to come, trying to 
unravel the ongoing crisis late at night before the computer screen, he 
would often ask himself: Am I really here? I could be in a first-class 
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cabin, flying to Paris to drink bordeaux at the Tour d’ Argent with sweet 
Dominique! Yes, there was the opportunity to finally run a business. 
Yes, there was the excitement of a new technology. And yes, there was 
the lure of San Francisco with its women, its restaurants, its hot-tub 
parties in Tiburon. But it still really didn’t make sense. Though he 
went through the motions of figuring out how he might personally 
avoid the consequences if everything wound up in a horrid thicket of 
lawsuits and recriminations, deep down, he understood that he was 
involving himself in a potential train wreck. 

For a while, he maintained to himself that his role was only 
temporary — he would help the company secure some funding, hire a 
new leader, and eventually collect some stock for his labors. Then he’d 
be on his way. But by the end of March, everybody else on the payroll 
had left or been cleared out. (Bennett technically didn’t leave until 
mid-August, after some tough negotiations that led to a buyout and, 
incidentally, the end of a possible relationship between RSA and the 
Church of Scientology.) It was Good Friday, but Bidzos called it Black 
Friday. He went out to dinner that night with Rivest and Bennett, and 
officially took the title of vice president of sales and marketing. Later 
on, he realized that since he was the only official there, he might as 
well call himself the president. 

His chief concern was the financial crisis. Some bills simply could 
not be paid. And, of course, no money was coming in. He called 
debtors and negotiated. “You call a law firm and tell them the com- 
pany’s winding down — we owe you $1 75,000 and we’ve got $10,000 
to give you,” says Bidzos. And they’d settle for the cash! Meanwhile, 
he set off to keep Vinnie and Steve happy. Fortunately, he had a good 
relationship with them. One day at Kaplan’s Deli, Bidzos was signing 
the credit-card bill for the meal, and he mistakenly underpaid, writing 
a three instead of an eight. The waitress went ballistic, calling him a 
cheater. Bidzos was mortified. But Vinnie and Steve beamed. “We like 
that,” they joked. 

Affection aside, Vinnie and Steve had to think of their investors, 
and a lawsuit against RSA was still a possibility. They decided to get 
the opinion of a respected outsider, a guy whom they called “the Wiz- 
ard of Wall Street.” He was a no-nonsense cigar smoker who cut to 
the chase when Bidzos was brought to meet him. “What’s the story?” 
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he asked. Bidzos drew on his own cigar and launched into a spiel 
about the brilliant young MIT geniuses who figured out a way to 
secure computer data and enable commerce in the next century. The 
wizard was impressed, and Vinnie and Steve decided to keep the faith. 

The process that would truly save RSA, however, would be con- 
vincing large companies that they needed crypto, and then selling 
them the technology. While the encryption software program Mailsafe 
was getting closer to a finished version (it would finally ship in July), 
the current business plan assumed that it would not be software sales 
but licensing fees that brought in the bulk of RSA’s revenues. Before 
leaving the company, Bart O’Brien had compiled a list of about thirty 
potential large customers, and Bidzos went through it. Discussions 
with AT&T, which O’Brien had figured for a $10 million contract, had 
stalled. Bidzos kept taking meetings, seeing executives at IBM, DEC, 
and Xerox. But that first major contract seemed frustratingly elusive, 
a siren just out of reach. If RSA didn’t rope in a big score, all of Bid- 
zos’s efforts would be wasted. The debts would be due, and the law- 
suits would follow. Then the MIT patent, the crown jewel of the 
company, would be auctioned off for peanuts. He needed money now. 
But who would buy first? Would anyone bite? 

One potential savior stood out — a small software company called 
Iris Associates that was funded by the spreadsheet giant Lotus Devel- 
opment Corp. Iris’s product, called Notes, was the first example of a 
new software category called groupware, a program meant to be used 
by dozens or even thousands of people over a network. Notes was an 
ideal candidate for a built-in encryption system since it assumed that 
users would electronically exchange virtually all their messages, even 
ones involving the most confidential corporate secrets. Without a means 
of securing that information against eavesdroppers, Lotus’s poten- 
tial customers — major corporations whose data were worth zillions — 
would be unlikely to purchase Notes. 

No one understood this better than the inventor of Notes. Ray 
Ozzie was one of those double-threat computer geniuses who not only 
could code their way out of a trunk loaded with rocks dropped into the 
middle of the ocean, but were equally visionary in the analog world, 
with an instinctive sense of the marketplace. He began his career at 
Data General, the minicomputer company, but when he saw the IBM 
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PC microcomputer he realized that the future lay in these personal 
devices. So he moved to what was then one of the biggest PC software 
companies, Software Arts, creator of the original spreadsheet, Visi- 
Calc. But in his head Ozzie was thinking about what could happen 
when all these personal computers got networked together. He felt 
that IBM itself would eventually get into the business of writing soft- 
ware for that world, but in the meantime there was a total vacuum — 
one that he hoped to fill with a program of his own design. That was 
Notes, and he founded Iris Associates to produce the program. But he 
spent much of 1982 unsuccessfully seeking start-up funding. 

In early 1983, he set out to pitch his vision to Mitch Kapor, the 
founder of Lotus, which had recently released a spreadsheet called 
1-2-3 that immediately supplanted VisiCalc as the industry gold stan- 
dard. Kapor’s main concern was finding a master software wizard to 
write Symphony, a multifunction program for Lotus, one that melded 
a spreadsheet, word processor, and database. So they made an agree- 
ment: if Ozzie would create Symphony for him, Kapor would fund Iris 
Associates to create Notes, and Lotus would distribute it. On the day 
Symphony shipped, in 1984, Kapor said, “Okay, Ray, do your thing.” 

Ozzie knew early on that security would be a key feature in 
Notes, and he looked forward to developing a technology to frustrate 
snoops and crooks. As a kid, he’d loved the TV show The Man from 
U.N.C.L.E. and played secret agent with his friends. That took a back- 
seat to electronics and, eventually, computer science, but he’d gotten 
excited when he read Martin Gardner’s article about RSA in 1977. So 
he suspected that his product might benefit from a public key crypto- 
system. Coincidentally, in early 1984, not long before he finished 
Symphony, he came across an article in Dr. Dobb’s Journal (a sort of 
programming guide for granola -chomping hackers) with a FOR- 
TRAN source code for encrypting with RSA. “It was so cool,” he 
recalls. 

In 1984, though, the appearance of an early implementation of RSA 
in a computer hobbyist magazine was a symbol of public key’s status: 
although the advance had made a lot of noise in the academic com- 
munity, no one had seriously considered using it in a software prod- 
uct. But Notes needed something like it. In a memo Ozzie wrote about 
security issues, he identified the problem that his groupware product 
faced, both in protecting privacy and establishing authenticity: 
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Mitch Kapor wants to send mail to Jim Manzi [Lotus’s 
second-in-command] about some (perhaps sensitive) sub- 
ject. Mitch sends it to Jim. First, although this mail SAYS 
that it is from Mitch, has some hacker on the network 
“faked” the message and put it into Jim’s mailbox? How 
can he be sure that this mail is really from Mitch? Second, 
he realized that this message passed through several inter- 
mediate machines; did anyone “take a peek” at the message 
as it was on its way to Jim? 

Ozzie continued to describe the way a traditional computer security 
system would deal with the problem, that is, via a central authority that 
delivered passwords off-line, and became, essentially, a mandatory 
hub through which all traffic passed. This model was not only vul- 
nerable in exactly the way that had made Whit Diffie so dissatisfied in 
the late 1960s — if the central authority screwed up, turned crooked, 
or turned you in, the whole system failed — but its very spirit was 
locked into an age that was destined for the junk heap. That system 
was synced with the mainframe model of computing, where some 
huge hulking circuit-laden beast did all the crunching, flipping com- 
putations to dozens or hundreds of users like some giant robotic 
blackjack dealer. Ozzie saw Notes not only as a pioneering product 
but also as a seminal example of the networked future, where the 
masses would have their own computers and not have to check in with 
some massive digital Big Brother. Like the phone system, communi- 
cations would be one-to-one, people communicating directly with 
their peers (as opposed to some now-antiquated models where com- 
munications were funneled through a central authority). “We believe 
that this is a bad approach,” wrote Ozzie of the central -authority 
model. “It changes the distributed nature of the network back into the 
old ‘centralized data’ approach of mainframes. ... It also resurrects 
the problems with the ‘traditional solution,’ that is, trust in people 
and/or mechanisms that are not completely understood.” 

The way to deliver security in the far -preferable decentralized man- 
ner was, of course, via public key. Diffie and Heilman’s landmark 
paper seemed almost to have Notes in mind when it outlined how 
Ozzie’s problems could be addressed. Through use of a “global phone 
book,” everybody in the organization would have access to everybody 
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else’s public key. Public key provided a way that Notes users could not 
only send messages in complete privacy but could also make sure that 
the message wasn’t forged: 

Consider the aforementioned scenario where Mitch sends a 
message to Jim. . . . Mitch writes a memo. In Notes, it 
invokes a menu item called “Sign Message.” Notes uses 
Mitch’s private key and the message itself to attach to the 
original message a “Signature,” a code that uniquely iden- 
tifies both Mitch and the actual contents of the message. 

Once the message is signed, Mitch invokes the “Send Mes- 
sage” menu item. The message then leaves Mitch’s PC, 
goes across the network, and ends up in Jim’s PC. Jim, 
receiving the message, reads it and wonders if Mitch really 
sent him this message. He invokes a menu item called 
“Verify Message” (this, of course, could have been done 
automatically). Notes now looks at the directory of users 
to find Mitch’s Public Key. Once found, Notes uses the 
message’s attached “Signature” and Mitch’s Public Key to 
do the verification. When Notes says “OK” it is indicating 
that the message was indeed sent by Mitch and the message 
is in its original form and has not been modified between 
Mitch and Jim. 

Ozzie concluded that the only viable implementation of public 
key crypto was RSA. He needed a heavy-duty system. While the 
Dr. Dobb’s program was a fun hack, it was many magnitudes too slow 
to be used in a commercial program, let alone to be used to encrypt 
large messages. When Ozzie and his team got serious about encryp- 
tion, they decided to go with a more sophisticated use of RSA: a 
hybrid system, using the public key method as a way for users securely 
to create symmetrical keys, which would be used to encrypt messages 
in a conventional cryptosystem. They figured the proper combo was 
RSA as a key -exchange algorithm and DES to actually scramble the 
message content. 

Around that time, Mitch Kapor got an unsolicited letter from Ron 
Rivest. I don’t know if you have any need for this, the letter went, but 
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there’s this useful algorithm called RSA, and we have the exclusive 
rights. . . . 

“Do you know what this is?” Kapor asked Ozzie. 

“Oh, shit,” said Ozzie. “RSA is subject to licensing ?” 

A meeting was arranged. On April 29, 1985, Bart O’Brien and Ron 
Rivest came to Iris. It was by far the most promising sales call in RSA 
company history. When O’Brien launched into his standard song and 
dance about the wonders of their system, Ozzie cut him off — the Iris 
people were already sold on the virtues of RSA. Discussion immedi- 
ately switched to how the companies might work together. Ozzie was 
particularly excited at the prospect of having Rivest himself available 
for consultation: “Who can better verify an algorithm than its inven- 
tor?” he wrote in a memo. 

The main sticking point turned out to be money. When it came time 
to give actual figures, O’Brien, offering what he called “a first-guess 
estimate,” asked for the moon: $100 a unit for the first 15,000 cus- 
tomers (or “seats”) with a sliding downward scale that stopped at $50 
a seat after the 100,000th user. Ozzie told them those estimates were 
“tremendously out of line with reality.” After all, the wholesale price of 
the entire software package was to be only a couple of hundred dol- 
lars. Ozzie promised, though, that he’d discuss pricing with Lotus, 
which would ultimately be paying the licensing fees. But he knew that 
there was no way Lotus would ever pay that kind of money. 

Sometime during the discussion Bart O’Brien mentioned that Ozzie 
might want to check out whether including encryption in its prod- 
uct might affect overseas sales. Ozzie admitted that he’d never given 
any thought to the issue. Rivest and O’Brien suggested that he make 
contact with the National Security Agency on this, but first Iris or 
Lotus — whichever was going to export the product — should figure out 
a government strategy. “These are not people you want to deal with 
casually,” they told Ozzie. “You want to understand the endgame.” 
When the meeting was over, Ozzie quickly realized that no matter what 
system Notes used, this might be an issue, and in his memo he re- 
quested that Lotus’s lawyers look into how the export regulations 
might affect the product. 

The meeting ended amicably, but the sticking point remained: 
RSA’s outrageous asking price. On the other hand, the public key 
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algorithms were perfect for Notes. "We knew technologically what we 
wanted — we’d already prototyped it,” says Ozzie. “I wasn’t going to 
put all my cards on the table at the first negotiation, but they could tell 
we were clearly excited.” But for a while it remained a stalemate. RSA 
regarded Lotus as one of many potential big scores, and Ozzie began 
what he saw as a sales job to Lotus, trying to get them to shell out for 
a reasonable license fee. 

By the time Jim Bidzos joined the talks, almost a year had passed 
since the initial contact between RSA and Ozzie, with little progress 
made. In fact, after making some tentative inquiries with the govern- 
ment, the Notes people had reason to second-guess the whole idea 
of licensing crypto: they’d been given hints that the National Secu- 
rity Agency would be less than pleased at the prospect of a major 
software product with technology to scramble information that the 
supercomputers behind the Triple Fence could not easily read. But as 
soon as RSA’s new leader came in — this fast-talking thirty-one-year- 
old Greek who was obviously not a hacker, not from the Silicon Val- 
ley culture at all — the Iris guys knew that negotiations had reached a 
new phase. 

Bidzos jacked up the urgency quotient instantly. He clearly wanted 
to cut a deal and wasn’t afraid to take the conversation in an adver- 
sarial direction. He emphatically reminded Lotus that RSA had the 
technology Notes needed, technology unattainable elsewhere. Without 
crypto, big corporations that wanted their communications protected 
would never use Notes. As far as he was concerned, Jim Bidzos had 
Ray Ozzie by the balls, and made sure he knew it. This aggressiveness 
unnerved Ozzie and his colleagues. Bidzos’s come-on was so intense 
that for weeks the speculation at Iris and Lotus was whether this 
pushy Greek was actually some sort of intelligence agent who’d been 
planted at RSA to control crypto. Still, Bidzos’s appearance broke 
the stalemate. He could switch from an iron glove to a velvet one. He 
reassured the Iris people that RSA — meaning Ron Rivest and some 
moonlighting MIT colleagues — could actually help to build the RSA 
algorithm into the product. And his financial demands were nowhere 
near the fantasy figures that Bart O’Brien had demanded earlier. In 
fact, one of his chief criticisms of his predecessors was their ridiculous 
financial demands. 

Meanwhile, Ozzie had convinced Lotus CEO Mitch Kapor that 
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public key technology was essential to Notes and it was time to come 
in with a solid offer. Lotus dangled before the troubled crypto com- 
pany something it needed desperately: a cash advance against royal- 
ties. The figure was $200,000, but Lotus wouldn’t pay all of that until 
the development work was done. Upon signing, however, Bidzos 
would get a check for $50,000. At that point, $50,000 represented the 
difference between life and death for RSA Data Security. 

The contracts were drawn that summer, to be executed in October, 
when Bidzos would go to Lotus’s new headquarters on the Charles 
River in Cambridge, and he and Mitch Kapor would both sign the 
contract. But when the RSA contingent arrived that day they sensed 
a profound disarray at Lotus. Sitting in the waiting room, Bidzos 
reached for a copy of the Wall Street Journal. On the front page was 
one of its trademark ink-pen portraits — of Mitch Kapor. It accompa- 
nied a story that said that Kapor was resigning from Lotus to pursue 
those ever-compelling personal goals. Essentially, the former tran- 
scendental meditation teacher had grown intolerant of the business 
world’s soul -battering minutiae, and he was following his muse out 
the door. 

Before Bidzos had a chance to assess the impact of this on the still- 
unsigned contract, a receptionist summoned him upstairs. Kapor was 
there, his muse apparently still loitering in the building. “I don’t work 
here anymore,” he said. “But Ed Belove will take care of you.” Belove, 
a vice-president who had worked on the deal, had the authority to sign 
the contract, and he did. 

With that money, RSA was able not only to keep its doors open, but 
also to start distributing Mailsafe. Who was the audience for such a 
personal computer-based cryptography product? The RSA people 
really didn’t have an idea. The mainstream of the American public 
didn’t consider encrypting e-mail a pressing concern. On the other 
hand, there was a vast number of career paranoids who found the 
product immediately attractive. 

One particular caller seemed to embody this arcane demographic. 
Around the time Mailsafe shipped, calls started coming in to RSA that 
began with heavy breathing. Then an anxious voice would burst out, 
How big are the keys that come with Mailsafe? And they’d tell him, 
“One hundred forty digits.” Then, puff puff, he’d ask, How hard is that 
to break? and they’d say it would take a supercomputer a trillion years 
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to find the key. Can I set bigger keys? he’d ask, pant pant, and they’d 
tell him yes and then hear heavy, almost frenzied wheezing on the line. 
Can the government break that? Uh-uh. Can the NSA break that? The 
next day, he’d call back, asking essentially the same questions. He 
became known at RSA as the Obscene Crypto Caller. “He obviously 
thought we were some huge company that wouldn’t know it was the 
same guy calling,” says Bidzos. “In fact, we’d all huddle around and 
listen to him when he called.” 

Would RSA sell its product to the Obscene Crypto Caller? Yes, it 
would. Just as the NSA had feared, here was a company that would 
sell to anybody. And as long as RSA didn’t send it across the borders 
of the United States, the company was perfectly within its rights to do 
so. It wouldn’t ask why people wanted to use it: that was nobody’s 
business but the buyer’s. It would even ship to post office boxes. 

Sometimes Bidzos himself would talk to customers when they 
called. One fellow in Pittsburgh quizzed him at length on the strength 
of the product, particularly on whether the government was able to 
break it. Bidzos asked him why he wanted Mailsafe. It turned out the 
guy sold surveillance countermeasures, like equipment that swept 
rooms for electronic monitoring bugs. Bidzos immediately realized 
that he had something in common with the man: both of them dealt in 
tools that were regulated by a government with a high stake in restrict- 
ing the most powerful technology in the field. The conversation would 
also get Bidzos wondering whether he was being bugged. 

But Mailsafe was a sideshow; Bidzos realized that RSA’s revenue 
stream would mainly be the big companies that licensed the RSA 
toolkit and built encryption directly into their own products. After the 
hurdle of the first big deal with Lotus was cleared, a number of large 
customers — including some of the most influential in the land — 
fell into line over the next few months. First came Motorola, which 
wanted public key technology for secure telephones. Then came Digi- 
tal Equipment Corporation and Novell, both companies that required 
a means to secure computer networks. 

All of these deals were closed by RSA’s supersalesman Jim Bidzos. 
When negotiating with potential licensees, he had the ultimate weapon: 
the patents for the technology. Before naming a price, he would speak 
at length about the nature of encryption and authentication, drawing 
deeply on his informal tutorials from Diffie, Rivest, Adleman, and 
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Shamir. By then, Diffie had decided not to work for RSA formally — 
“I’ve never had a start-up personality; I’ve never been able to work on 
anything but what I was interested in at the moment,” he later 
explained. The company instead needed people like Rivest, who could 
focus his attention and write thousands of lines of product code in a 
few weeks. 

Bidzos had himself become quite an explicator of the crypto revo- 
lution. He understood completely how what would later be called the 
Network Effect was absolutely crucial when it came to public key 
cryptography: its value increased exponentially by the degree to which 
it spread throughout the population. For that reason, he almost always 
insisted that RSA be built into the basic product, so buyers would get 
crypto without specifically having to ask for it. 

Only when Bidzos finished his rap would he get into the terms of 
the deal. The kind of arrangements he liked the best were those that 
involved getting encryption into the hands of thousands, maybe even 
hundreds of thousands, of users. With a customer base that size, RSA 
would demand only a few dollars per seat. A dream began to form: a 
world where everybody could, and did, communicate with the privacy 
that encryption provided; a world where people could not only swap 
mail but sign contracts and pay bills with all the safeguards available 
in the physical world. And RSA would get a piece of all that. It was the 
ultimate salesman’s dream. But it was also the NSA’s nightmare. 

For a crucial period in the mid-1980s, however, Bidzos heard little 
from the government. He says that there were occasional rumors that 
some officials were quietly urging some sort of action against RSA, 
action that might have been devastating to the fragile young com- 
pany. “Buy them, threaten them, do something — just stop them,” he’d 
heard they were saying. “There are a million ways to do it.” But nobody 
did. So, his theory went, the government simply sat back and waited 
for RSA to self-destruct. 

The government skeptics underestimated Jim Bidzos. By the end 
of the summer of 1986, he had transformed the company and won the 
trust, if not the total enthusiasm, of all three of the firm’s namesakes. 
Ron Rivest had become a good friend, and was the most committed 
of the trio. He saw Len Adleman in Berkeley, who was amiable but 
somewhat reserved — though still a shareholder, he’d apparently had 
enough of the business life. Then in August Bidzos met Adi Shamir, 
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who had moved back to Israel but was in the Bay Area before heading 
to Santa Barbara for the annual Crypto conclave. Bidzos spent the day 
with him. He found Shamir very bright and very intense, and the 
businessman took pains to solicit ideas from the cryptographer — who 
was, after all, also a shareholder — on RSA’s various opportunities for 
success. 

Relations were not as good, though, with Marty Heilman. In the 
1980s, Diffie’s coinventor of public key had tried to go into business 
himself selling crypto solutions under the name Heilman Associates. 
But the venture never took off, perhaps because much of his energy in 
the eighties was devoted to intense involvement in an antinuclear 
group called Beyond War. “The importance of cryptography couldn’t 
compare to the importance of the danger to human survival, and so I 
worked on the issue of making sure the human race survived,” he later 
explained. Still, now he seemed upset, even hurt, that this company 
based in part on his ideas was finally beginning to make it, particularly 
since he disagreed with parts of RSA Data Security’s approach to pub- 
lic key. Bidzos says he tried to bring Heilman in, and arranged a sort 
of reconciliation with all the other public key creators in a dorm room 
at Crypto ’86 that August. Heilman, Bidzos recalls, was emotional as 
he voiced his complaints. But nothing came of the meeting, and for 
years there was a chill between Heilman and the others. Bidzos says he 
later offered Heilman stock in the company, begged him to take it — 
he’d already given shares to Diffie. But Heilman refused, claiming that 
he wasn’t a stock guy. (He did accept a stipend to become a “distin- 
guished associate.”) 

Had he taken the stock, he would have eventually cleared well over 
a million dollars, as Diffie did. This was in contrast to the pitifully low 
sum paid to them by Stanford, which held the actual patents for their 
breakthroughs — Diffie’s own share came to only about $10,000. 

In any case, RSA Data Security, Inc., was beginning to take off. But 
now it was triggering the NSA’s radar. And the first to notice were 
RSA’s customers. 


patents and keys 


t o Ray Ozzie the whole thing was a no-brainer. He was creating a 
product by which people exchanged information that they might want 
to protect. Including encryption in the product was simply a means of 
providing them that protection. It was simple business. It was com- 
mon sense. But now that Lotus was actually preparing to include RSA 
as an essential component of Notes, he found himself waist deep in a 
thicket of red tape concerning its export — almost as if he were a vir- 
tual enemy of the state. To his horror, he discovered that as far as the 
export rules were concerned, even a strictly commercial program that 
helps people run their businesses is considered a weapon. Not a hand- 
gun or a stiletto, either, but a weapon of mass destruction, like a 
Stinger missile or a nuclear bomb trigger. 

Ozzie could have simply avoided the whole mess by not exporting 
his product. On a practical level, though, limiting sales to America was 
unthinkable. It would mean cutting potential revenues at least in half. 
Software for personal computers was a global market, particularly 
when it came to big corporations that were the prime consumers of 
Notes. But such a market hadn’t existed when the export regulations 
were created. When Ozzie and the Lotus lawyers did their research, 
they found that crypto export licenses were generally issued only when 
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the exporter (typically some company with ties to the military estab- 
lishment) was able to identify and vouch for the friendliness and trust- 
worthiness of the final users. The process was called an “end-user 
certification.” But Notes was a mass-market product, sold shrink- 
wrapped like a cassette tape. The users would be . . . just plain peo- 
ple. To their dismay, the Lotus lawyers were unable to find any pre- 
vious case where a crypto export license had been issued in those 
circumstances. 

To wend one’s way through the political, technical, and spookified 
minefield of these regulations and restrictions, you needed a white- 
shoed D.C. lawyer -minesweeper, so Lotus went out and got one. His 
name was Dave Wormser. His first piece of advice was to go directly to 
what would be the source of all objections: the NSA. The law didn’t 
require this — the specified avenue was the State Department — but 
Wormser knew that even filling out an application would be a waste of 
time unless they knew what the minds behind the Triple Fence might 
find troublesome in the product. 

So, in mid- 1 986, not long after inking the deal with RSA, Ray Ozzie 
went to Fort Meade, Maryland, to see what he was up against. He was 
accompanied by Wormser and Alan Eldridge, the Iris engineer who 
was in charge of the security components in Notes. Ozzie was thirty 
years old at the time, just a bit too young to have been swept up in the 
sixties rebellion but still old enough to have a skeptical attitude toward 
the military. As a heads-down engineer and product developer, though, 
he had little idea of what he had stumbled into. 

Ray Ozzie, of course, knew nothing about the similar journey made 
over a decade earlier by Walt Tuchman of IBM. Tuchman, too, had 
been an outsider with a plan that would extend the powers of crypto 
beyond the area that The Fort had cordoned off for itself. The NSA, 
confident that a company like IBM would never defy a request made 
in the name of national security, had originally felt it had risen to that 
challenge, but in the years after the approval of the Data Encryption 
Standard, it had become clear that the problem had not gone away. As 
crypto edged its way more and more into the public sector — and DES 
became more and more common within U.S. borders — certain forces 
within the NSA now saw the approval of DES, despite IBM’s extraor- 
dinary concessions, as a horrible mistake. Who knew that everybody 
from middle managers to grandmas were going to be using comput- 
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ers strong enough to do industrial- strength encryption? To some in 
the agency, the arrival of the Lotus team was probably the strongest 
indication yet that crypto was already leaching out into the main- 
stream. To those NSA people, Ray Ozzie’s visit meant that the crypto 
barbarians were indeed at the gate. 

Fort Meade, with its fences, its guardhouse, the long hallway with 
pictures of obscure generals, the generic meeting room you’re ushered 
into with furniture that looked like it had been there since the 
McCarthy era, was pretty intimidating. It made Ray Ozzie think, 
These people are obviously in control and they know it. 

The meeting began when several NSA officials came in. One of 
them, apparently the case officer on this matter, began questioning the 
trio. (This particular functionary — Ozzie is loath to disclose his 
name — wound up following the progress of Notes for more than ten 
years.) What was the product? When would it be ready? What sort of 
cryptography do you hope to use? Ozzie and his team described their 
hybrid crypto scheme: RSA for the key exchange and DES for the 
actual encryption. 

But the very mention of DES made the NSA people go nuts. “I’ll tell 
you right now,” one of them said. “You’re not going to export DES, no 
way, under no circumstances . . . you will never export DES.” This 
seemed strange: hadn’t the NSA put its seal of approval on DES? Not 
to be exported to anyone with a couple hundred bucks to spend, baby. 
The NSA functionary explained that DES was not merely a crypto- 
system but a red-hot political issue at The Fort, with implications that 
a private -sector engineer would not understand and had no need to 
understand. 

Ozzie didn’t know it then, but the NSA was going through a period 
of post-Data Encryption Standard remorse. In fact, the agency was 
just then working on a project of its own called the Commercial 
COMSEC Endorsement Program, which it hoped would kill off the 
Lucifer -based cipher and replace it with a cryptosystem of its own, 
dubbed Project Overtake. The ostensible reason was that widespread 
use of DES “could motivate a hostile intelligence organization to 
mount a large scale attack” on the cipher. This in itself was sort of 
ironic, since it was the NSA that mandated the smaller key size for the 
code, thus making it vulnerable to such an attack. The real problem 
wasn’t that DES was weak, but that it was sound, too sound for a 
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cryptosystem used by the general public. DES now threatened to fall 
into much wider use than the agency had estimated — and if mass- 
market public key systems like Notes used DES, the problem would 
get far worse. So Fort Meade now viewed the cipher as a rogue ele- 
ment in its global mission. The solution was for the NSA to come up 
with its own cipher, which would be strictly under its control. 

Yet Project Overtake was a doomed initiative because its potential 
private -sector customers weren’t buying. For one thing, its technology 
was expensive and clunky. It involved audiocassette-sized devices built 
to snap into computers. The boxes cost well over $1000 each. Worse, 
the banks and other financial institutions asked to participate in this 
project were given no control over the system. The algorithms them- 
selves were protected. The boxes would be tamperproof. Even the keys 
were to be generated and distributed by the NSA itself. What assur- 
ances did the NSA give that the agency would not be keeping copies 
of the keys for itself? In a rare public interview in the Wall Street Jour- 
nal, an NSA representative sniffed, “We have better things to do with 
our time.” In other words: Trust us. Elsewhere in that article, the 
NSA’s neo-Stalinistic marketing tactics were examined. A banking 
executive described a typical Project Overtake sales call: “An NSA guy 
stands up and makes pronouncements. ‘You guys have to do this.’ It’s 
a directive. You can imagine how far this gets them.” No, thank you, 
said the banks. They’d stick with DES. 

Though Ray Ozzie was unaware of all this, he was beginning to 
realize that the idea of exporting crypto was a very big deal for these 
guys. As the obstensibly amiable interrogation continued that day, it 
became clear that the NSA people did not even have the vocabulary to 
deal with a mass -marketed product with strong security like Lotus 
Notes. “They had dealt with people who knew their customers, and 
could vouch for them with end-user certifications,” says Ozzie. “But 
we had to explain to them that our industry didn’t work that way.” 
When Ozzie tried to elaborate on this, his attorney began kicking him 
under the table — this wasn’t the kind of thing that the NSA wanted to 
hear. But Ozzie felt it important to defend the crypto component in 
Notes, explaining that if people were going to use the product, they’d 
be risking their entire businesses on the security of the information. 
That argument didn’t seem to impress the spooks. 

Flying back to Boston after that first meeting, Ozzie asked himself, 
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Would it really be so bad to distribute Lotus Notes only within the 
United States, and avoid this whole battle? But that approach would 
be financial suicide. You simply could not compete if you wrote off the 
global marketplace. 

So Ozzie had the lawyers arrange another meeting, this time in 
Cambridge. Had the National Security Agency softened its position at 
all? “Just to make sure you know where we stand,” said one of the 
NSA representatives to the Lotus people, “we’ve long known you’ve 
had encryption in Lotus 1-2-3, and from our standpoint that’s within 
our jurisdiction. We could stop your shipments of 1-2-3 tomorrow if 
we felt like it.” 

Lotus 1 -2-3, of course, was the spreadsheet that provided the lion’s 
share of the company’s revenues. It was the most popular software 
product in the world and a huge percentage of its sales was over- 
seas. What was the “encryption” to which the NSA referred? Lotus’s 
spreadsheet program contained a simple password option that blocked 
access to unauthorized users. Now, it was highly unlikely that the U.S. 
government would dare halt all shipments of software that used pass- 
words, an act that would cause the entire personal computer software 
industry to collapse. Still, the threat had its effect. Ozzie glanced over 
at his lawyer, and saw a look of sheer panic. 

In the course of that meeting and several others over the next three 
years, it became very clear to Ray Ozzie that no matter how crucial 
Lotus Notes might be to his company or even to the U.S. economy, 
any approval he got for export would be on the government’s terms 
only. On the other hand, he was relieved that no one dealing on behalf 
of the NSA ever made any demands on what encryption might be sold 
within the borders of the United States. (Such a demand would have 
been a violation of the Computer Security Act, but who knew where 
those guys would stop?) Whenever Ozzie indicated that export restric- 
tions might force Lotus to release two versions of Notes, one with 
strong encryption for domestic use and the other for approved export, 
the government negotiators would shrug and say, “Well, that’s your 
decision.” At times Ozzie would wonder whether the NSA wanted 
Lotus to create some secret skeleton key by which the spooks could 
quickly unscramble messages encrypted by Notes. He once probed to 
see if that was the case. “What the hell do you want?” he asked his 
tormentors. “Are you waiting for me to offer you a back door?” The 
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response was immediate: No, we don’t want you to compromise the 
security of the product. “So what the hell do you want?” Ozzie would 
ask, and he’d get no good answer. And the stalemate would continue. 

Finally, around the middle of 1987, Ozzie and his team got a con- 
cession from the NSA: If Lotus dropped DES and found a replacement 
cipher, the government would evaluate that cipher’s strength and allow 
Notes to be exported, with a key length that the parties would then 
negotiate. Lotus immediately hired Ron Rivest to cook up a new 
encryption algorithm. After a few weeks of intense work, he came up 
with his own cipher that he named RC-2, for Rivest Cipher 2. (A first 
effort was shelved.) Rivest’s system was similar to DES in that it was 
a block cipher that used complicated substitutions, but unlike DES, it 
had a variable key length. Lotus paid for all the development costs but 
allowed RSA to hold the patents. Rivest submitted the code to the NSA 
in 1987; not long afterward, he heard that the Triple Fence crypto wiz- 
ards required a couple of tweaks. 

“How do you know they’re not doing something to weaken it?” 
Ozzie asked him. 

Rivest replied that the government’s comments actually made good 
sense, so he felt safe making their changes. That took a month or so, 
and the negotiations picked up again. Not that they were getting any- 
where. “The content of the meetings was getting very thin,” says Ozzie. 
“I believe we were definitely being stalled.” His impression was that 
there was strife within the NSA itself on how to proceed. During 1987 
and 1 988, the lack of an export license wasn’t that much of a crisis for 
Lotus, because Notes was one of those ambitious software efforts that 
were years late in production. So the encryption issue wasn’t holding 
up the product itself. But as 1989 rolled around, it looked like the pro- 
gram might finally be ready to ship. Now an export solution was 
essential. 

The only thing that Lotus had going for it, really, was perseverance. 
Not that Ozzie had any alternatives. Every time he’d mention the pos- 
sibility of shipping a product only in the United States, the marketing 
people insisted such a course was just not financially viable. So he kept 
pressing. Kept asking for more meetings with the NSA. Kept supply- 
ing any and all information the government requested. So much infor- 
mation, he figured, that if he ever did get an export license, there 
wouldn’t be a chance in hell that the government could come back and 
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say, “Hold on, you didn’t tell us that the system works like this.” That 
would give it an opportunity to stop shipments. So Ozzie made sure 
that Lotus completely fulfilled even the Defense Department’s most 
trivial requests. 

While Ozzie was definitely the supplicant, he did have some lever- 
age. “Are you telling me that I have to go to my congressman and tell 
him you’re preventing me from shipping my product overseas?” he’d 
ask the export gatekeepers. “How much of an issue do I have to make 
of this?” Lotus may not have been a multibillion-dollar company, but 
it was the biggest company in the software industry at the time, and it 
wouldn’t have looked very good to have some faceless spooks barring 
the door to the darling of the business press. 

Suddenly, inexplicably, the ice broke in mid- 1989. Ozzie is con- 
vinced that the struggle within the NSA had finally ended in a com- 
promise. “It was clear that there were people for us and people against 
us,” he says. “Originally they’d been meeting with us because it was 
their job and they were curious about what we in this new personal 
computer industry wanted. Then I believe there were severe internal 
battles, with some people in favor of letting a little crypto out, to make 
us go away. And others who didn’t want a precedent set, and wanted 
nothing out.” Apparently the former prevailed. An offer materialized. 
Verbally, of course. A written offer would be akin to a binding prom- 
ise, an animal that does not exist in the export control menagerie. 

Here was the offer: Lotus Notes could ship overseas with RSA and 
RC-2 encryption built in, with a key size of 32 bits. The NSA people 
thought that was a major concession on their part. After all, their job 
was to break codes. So they had to be very concerned about what 
might happen if the president or the National Security Council came 
and asked them to break a message encrypted in a program they’d 
allowed exported. Their first instinct had been to permit only a 24-bit 
key. But “after serious leaning on NSA senior policy people,” said one 
of the government reps, they were willing to “go the extra mile” and 
allow what it considered unusually strong 32-bit keys. 

Unusually strong? The Lotus team was appalled. That meant that 
the keys one chose to encrypt and decrypt data were limited to a uni- 
verse of just over four billion keys. While you wouldn’t want to try to 
crack this by hand, it was totally lame in the age of supercomputers. 
For the silicon sweathogs in the basement of Fort Meade, finding a key 
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among four billion was a definite yawner. In the meeting, the NSA 
folks admitted that their supercomputers could indeed crack such keys 
inside of a couple of days (an estimate that seemed rather modest). 
But potential data thieves didn’t really need supercomputers to crack 
a code scrambled with a 3 2 -bit key. If they were determined enough, 
and had serious dollars to spend as well as time to kill, they’d be able 
to throw enough personal computing power at the problem to find the 
keys. According to RSA estimates, this could be accomplished within 
60 days. The government officials insisted that this was plenty of secu- 
rity. “Who would go to the trouble to break a single corporate mes- 
sage or several of them at 60 days a pop?” they asked. 

This seemed to ignore the guiding high-tech principle of Moore’s 
Law, which dictated that personal computers would double in power 
every eighteen months or so. So, that 60 days would soon be less than 
a month. By 1995, the time to crack a 32-bit key would be less than a 
week. But all of that was almost beside the point. True, for most rela- 
tively innocuous messages sent on Lotus Notes, spending days or 
weeks on decryption was excessive. But some of the information 
transmitted by these multimillion -dollar companies was bound to be 
valuable. And how would Lotus be able to assure those firms if the key 
length was limited to 32 bits? It couldn’t say that breaking the code 
was unimaginable — or even a challenge. Basically, getting hold of a 
secret message would be little more than a nuisance. 

There was no legal reason, however, to stop Lotus from producing 
two versions of the product: an export version with 32 bits and a much 
more secure version for use only within the United States. The latter 
used Lotus’s preferred key length of 64 bits, a degree of strength many 
times more difficult to crack than the export version. (Remember, 
each single bit doubles the size of the keyspace. A key that’s twice as 
hard to guess as the 3 2 -bit version would not be 64 bits long, but only 
33 bits. The domestic version, then, was like doubling the difficulty 32 
separate times, changing the time frame to crack a key from days to 
aeons. The bottom line was that it required no stretch of the imagina- 
tion to use brute force to come up with a 32-bit key. But considering 
1 989 computer power, one could reasonably declare such an attack on 
a 64-bit key next to impossible.) 

The drawbacks of producing two products of different key 
strengths were daunting. The obvious logistical costs — two packages, 
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two sets of disks, two inventories of products — were only the begin- 
ning. Ozzie and his team had to make sure that both versions operated 
with each other. Because the target customer base for Notes included 
multinational companies like General Motors, the software had to be 
written so that companies with some users in the United States and 
others overseas could communicate securely. So Lotus had to have the 
product work in such a way that people didn’t have to worry whether 
or not some of the recipients of an e-mail might be in Spain or Kansas 
City. Essentially (though none of this was apparent as one used the 
product), each person who used Notes was given two sets of keys — 
an international pair and a domestic pair. Implementing this was a 
programming nightmare. But, says Ozzie, “we were not going to com- 
promise in this country,” so Lotus went ahead and did the work. 

The one problem that simply could not be coded around was that 
the government -imposed limitation made the international product 
much, much weaker than its American cousin. You could view it as a 
bug, but one that was built into the product. Would international cus- 
tomers reject it for that reason? 

At first, they didn’t — mainly because the entire idea of buying a 
product with built-in encryption was so novel that customers weren’t 
attuned to the nuances of security. “We were trying to sell a product 
that was for uses they didn’t know they had,” says Ozzie. “It required 
a network card they didn’t have, a graphical interface they didn’t have. 
Only after we convinced them to put these things in did they ask, ‘Is 
it secure?’ And we’d tell them, ‘Yeah, it’s secure; not as much as the 
version in the U.S., but it’s secure.’ And they’d ask, ‘Can someone 
break in?’ And we’d go, ‘Well, if you ganged together thirty or forty 
personal computers, maybe you could. But you’d have to write special 
software and all.’ It was a customer education process to let them 
know we were trying to protect their data. It wasn’t for a few years 
that the questions began coming about why the international version 
isn’t as strong, and why didn’t we use DES.” 

Lotus’s hope was that by the time international customers got 
wise to the fact that their version of the software offered significantly 
weaker protection, the government would bend its restrictions and 
allow larger keys. Thirty-two-bit keys were just a compromise Ozzie 
made to get the product out the door. “Once we were shipping, and 
we had customers who had pull, we could [have the clout to argue for] 
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a change to forty-eight-bit keys [in the export version],” says Ozzie. 
“That was what we were pushing for.” 

But the government seemed to be pushing in the opposite di- 
rection. The NSA believed that the export version, even with that 
lame key size, was still too strong because of certain design elements. 
These concerned the possible reencryption of already-encrypted 
information — something Ozzie figured that, at worst, would make 
decrypting messages only slightly more difficult. Without explaining 
its reasons, the government suggested design changes that might sat- 
isfy them. The best Ozzie could figure was that the issue probably 
related to the way that NSA cryptanalysts broke codes. But settling the 
matter took months of further negotiations, ultimately resulting in sig- 
nificant product redesign that made the program run more slowly in 
certain instances. 

Ozzie couldn’t help but wonder: what was the point of all this? Did 
shipping Lotus Notes overseas only in a 32-bit version really improve 
national security? 


The struggle with Lotus over software exports was only one sign that 
after years of inaction, the National Security Agency had to wake 
up and face the challenge of a crypto revolution. After the mild panic 
following the first breakthroughs in the late 1970s, officials at The 
Fort thought things were under control. Though Bobby Ray Inman’s 
compromise — the scheme by which crypto researchers would volunta- 
rily submit their work to the NSA for a once -over — was not foolproof, 
an impressively high percentage of the top independent cryptographers 
actually went through the process. Because the choice was theirs, 
they could justify their decision to comply with the principles of aca- 
demic freedom. Besides, these academics had no desire to destabilize 
national security. Correspondence with the spooks was also fun, in a 
way. It provided a certain frisson, not to mention an implicit valida- 
tion that one’s work was indeed serious. In over nine times out of ten, 
the NSA made no suggestions, and other times, a minor adjustment 
would be requested — typically, this would be when the researcher 
inadvertently stumbled on some issue that was related to the NSA’s 
techniques in either its codes or its cryptanalysis. 

Furthermore, in at least one case, the NSA actually appeared to 
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have intervened on behalf of a researcher. This was none other than 
Adi Shamir. In the years since leaving MIT, Shamir had been extraor- 
dinarily productive. Using the ideas of public key as a starting point, 
he and various colleagues had come up with new ideas for crypto. 
Some of them were amazing. One that he worked on with Adleman 
and Rivest involved a way to play “mental poker . . . played just like 
ordinary poker, except there are no cards.” A more significant creation 
was “secret sharing.” Only two years after helping invent RSA, Shamir 
had been intrigued by what he considered to be a problem looking for 
a solution — how do you share a single key among several parties, par- 
ticularly when mistrust and suspicion festers among them? The clas- 
sic situation is an electronic equivalent of what happens in nuclear 
missile silos: in order to launch, multiple keys must be turned simul- 
taneously, requiring more than one person. Could you replicate this 
safeguard in cyberspace? It turns out you could, and once Shamir got 
to thinking about it, he came up with the idea of secret sharing, a 
means to parcel out a decryption key among several people. If a foe 
got hold of any individual’s share of the key (known as a “shadow”), 
he or she would have no advantage in an attempt to retrieve the entire 
key. Implementing that was the only the beginning, though. It was 
obvious how to do it in a way requiring the cooperation of all the par- 
ticipants to reconstruct the key. But then Shamir thought a little. . . . 
What would happen if one of those people disappeared or died or was 
kidnapped? This led to the idea to build tolerance, so that if you were 
given any predetermined subset of the keys, you would be able to 
reconstruct the secret. This came to be known as a “threshold 
scheme,” and its uses were endless. A trade secret like a recipe for 
Coca-Cola, for instance, could be distributed among ten people, and 
then you could prearrange any number of complicated combinations 
to retrieve the key. If, say, the six least trusted people holding shadows 
of the key got together, they might not be able to reconstruct the key. 
But the most trusted shadow holder might be able to build the key with 
any two other people in the consortium. 

In 1986, Shamir and two of his colleagues at the Weizmann Insti- 
tute came up with another innovative and potentially valuable tech- 
nique, known as “zero -knowledge proofs of identity.” Using one-way 
functions, these allowed Alice to verify that she knew a number (typi- 
cally something that identified her, like a social security or credit-card 
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number) without revealing that number to the interrogator. Using this 
system, Shamir later said, “I could go to a Mafia-owned store a mil- 
lion successive times and they would still not be able to misrepresent 
themselves as me [and use that information to buy goods, etc.].” Re- 
cognizing the value of this scheme in future e-commerce transactions, 
Shamir and his coinventors applied for a patent. But in early 1987, the 
patent office informed the cryptographers that, by order of the U.S. 
Army, their invention was now an official secret; circulating informa- 
tion on it “would be detrimental to the national security.” Not only 
were the Israeli scientists prevented from discussing it, but they were 
instructed to warn anyone who had seen the paper that sharing the 
idea could put one in jail for two years. Since they had already pres- 
ented the paper at several universities as well as the Crypto ’86 con- 
ference, and had submitted it to the Association of Computing 
Machinery for publication that May, this seemed a difficult, if not 
futile, task. Furthermore, since the authors weren’t even Americans 
themselves, how could the U.S. government tell them what they could 
and could not talk about? 

The NSA apparently wasn’t involved in that secrecy order, but soon 
heard about it from concerned American scientists — and from the New 
York Times, which had been tipped off about the controversy. Within 
two days the order was quietly lifted. It was weeks before Shamir 
learned about the reprieve, and he became convinced that the NSA 
had intervened in his behalf. Why? As Susan Landau, an academic 
researching crypto policy, later guessed, the agency had intervened to 
preserve its prepublication submission program. If the perception was 
that submitting a good crypto idea could lead to a sudden embargo, the 
flow of papers to the NSA would end. And, as Landau wrote, “it is 
much easier to find out what the competition is doing if they send you 
their papers.” 

As the 1 980s came to a close, however, it was clear that the volun- 
tary submission system had reached the end of its usefulness. The 
turning point came, significantly, with a paper written by Ralph 
Merkle. Merkle had gone to work at the Xerox Corporation, in its 
famed Palo Alto Research Center (PARC). His main area of study — 
indeed, his passion — was nanotechnology, a new science based on 
molecule -sized machines. But he kept up with the crypto world. In 
1989, he wrote a paper that introduced a series of algorithms that 
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would speed up cryptographic computation, driving down the price of 
encryption. This in itself was threatening to the NSA’s mission. But 
Merkle’s paper was particularly worrisome to the agency because it 
included a discussion of the technology of S-box design. Ever since 
Lucifer, this had been a hot -button issue at The Fort. 

Xerox sent the paper off to the NSA for a prepublication review. 
(Apparently, it had hopes of one day getting an export license for a 
product based on Merkle’s research.) As usual, the NSA itself circu- 
lated it to experts both inside and outside the Triple Fence. But this 
time the result was not a helpful correction or gentle request for a 
change in wording. The agency wanted the whole paper suppressed, 
claiming — without explaining why, of course — that circulating Merkle’s 
scheme would be a national security risk. 

Xerox, as a huge government contractor, quietly agreed to the 
agency’s request. Normally, that might have been the end of it. But in 
this case, apparently one of the outside reviewers of Merkle’s paper 
was upset that the agency had spiked it — so upset that he or she 
slipped it to an independent watchdog, a computer-hacker millionaire 
named John Gilmore. 

Gilmore had a weapon that wasn’t available a decade earlier, when 
the prepublication process was initiated: the Internet. One of the most 
popular Usenet discussion groups on this global web of computers 
was called sci.crypt. It was sort of an all-night-diner equivalent of the 
yearly Crypto feasts in Santa Barbara, featuring a steady stream of 
new ideas, criticism of old schemes, and news briefs from the code 
world. Gilmore posted Merkle’s paper to the group, and in an instant, 
it went out to readers on 8000 different computers around the world. 
Cyberspace had made the NSA’s prepublication system irrelevant. 

The agency rescinded its request to withhold publication. Anyway, 
by then even the bureaucrats at The Fort were getting wise to a new 
reality: its real challenges weren’t coming from academic papers but 
from the marketplace. And the prime example was that once moribund 
public key software company, now rejuvenated by Jim Bidzos. 


As the 1990s approached, Bidzos was dancing a complicated pas 
de deux with the National Security Agency. Though he had no real 
proof of it, he now imagined that behind the scenes it was working 
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overtime to sabotage him and his company. It seemed that a lot of his 
potential customers showed enthusiasm at first, but then mysteriously 
stopped returning his calls. There were also government agencies 
whose interest in deploying his products suddenly evaporated. Bidzos 
felt in his bones that the silence resulted not from a failure of his sales 
prowess, but from clandestine pressure from Maryland. 

He even came to wonder about the nature of a relationship he had 
with a woman who for some reason spontaneously began giving him 
inside dope on the NSA. It had seemed plausible at the time, but later 
he wondered whether she was being paid to feed him disinformation. 
“I believe in the intelligence community they call it a ‘honey trap,’ ” he 
later said. It was ironic that from time to time people would still won- 
der whether Bidzos was some sort of double agent, putting on a cha- 
rade of fighting the NSA while secretly implanting back doors in his 
company’s technology. In his mind, he truly believed that he was the 
single greatest thorn in the agency’s cybernetic paw. 

But what really scared Jim Bidzos circa 1990 was not the National 
Security Agency, but a far more immediate threat to his business. It 
involved not the government but the public key cryptography patents 
that were the foundation of his technology. The problem involved a 
company whose products didn’t compete directly with those of RSA — 
but whose patents threatened the company’s existence. 

The company was named Cylink, and its own history was consid- 
erably more placid than the roller-coaster ride of RSA. Its cofounder, 
Jim Omura, was a Stanford Ph.D. who became a UCLA professor in 
electrical engineering. His main field was information theory. Like just 
about everyone in computer science back then who didn’t work for the 
NSA, he knew almost nothing about cryptography. But he knew of a 
young associate professor at Stanford who was interested in the sub- 
ject. “I used to ask him, ‘Why waste your time in cryptography?’ It 
seemed like there was nothing there,” says Omura. Fortunately for the 
invention of public key cryptography, the professor — Marty Heilman — 
didn’t take Omura’s advice. 

By the late 1970s, Omura’s views had changed, however, and he 
became an expert in the field. For extra money he would teach a five- 
day cryptography course to people in industry, mainly government 
contractors who wanted to develop products for the military. It cov- 
ered the basic principles of crypto, and he taught it not only in the 
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United States but also in places like Switzerland. “We had to be care- 
ful not to include any classified knowledge,” he says. Omura himself 
had never been briefed with classified material, but who knows what 
the government might consider verboten? 

After a few years, Omura and a friend began tinkering with actual 
code, and they came up with a hardware product: a silicon -chip imple- 
mentation of public key, using the Diffie- Heilman key exchange. He 
went to another friend, Lew Morris, who was an early participant in 
Sun Microsystems, and they began to explore the idea of making a 
business out of it. They wrote a business plan, and started making the 
rounds of venture capitalists. 

This was in 1984, about the same time that RSA was going through 
its roughest period. Omura and Morris didn’t find the going any 
easier. “The venture community then couldn’t have cared less about 
information security,” says Omura. It was only through a private 
referral that the business plan fell into the hands of Jim Simons, who 
was not only a mathematician and cryptographer (he’d been one of the 
early reviewers of Lucifer) but dabbled in venture capital as well. He 
agreed to help put the newly dubbed Cylink company on its feet. 

Unlike RSA, which had a mission of getting crypto into the hands 
of the general public, Cylink focused on securing the communica- 
tions of big companies, typically those that were government con- 
tractors. Cylink wasn’t about to push the envelope of what the NSA 
would or would not permit. Its first product, shipped in 1986, was 
dubbed the CIDEC-HS (so much for sexy branding). It was a chip- 
stuffed metal box that scrambled telephone communications within a 
company, using a hybrid crypto system: Diffie-Hellman to generate 
keys, DES to encrypt the data. Since many of Cylink’s customers 
were financial institutions that had already won clearance to use 
DES -based cryptography (including SWIFT, the international clearing- 
house for bank transactions, which handled over a trillion dollars on a 
slow day), Cylink didn’t run into the export problems plaguing soft- 
ware companies like Lotus. It quickly became profitable. 

From the start, of course, Cylink had gone to Stanford University 
to license the Diffie-Hellman patent. At first, the arrangement was 
nonexclusive. “Stanford was deliriously happy,” says Robert Fougner, 
Cylink’s general counsel. “They’d finally found someone who was 
going to actually use the patent, and we made a very, very good deal 
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with Stanford.” During the mid-1980s, in fact, while RSA was strug- 
gling to establish itself, Cylink seemed to be the only company turning 
a buck from public key. The relationship with Stanford flourished. 
Eventually, Cylink proposed that the university give the company 
additional rights to the public key patents. Essentially, it wanted to 
control all the patents itself. When others sought to devise and market 
potential public key crypto schemes, they would go not to Stanford for 
the licensing rights, but to Cylink for sublicensing rights. 

Stanford agreed to this, but there was a significant wrinkle: a con- 
tinuing conflict over its patent rights and those of MIT, which owned 
the RSA patent. Stanford believed that its patents were, essentially, the 
public key patents, since they embodied the broad idea of split-key 
cryptography. By this logic, anyone who wanted to use the RSA 
scheme would also have to license the Stanford patents. MIT’s 
lawyers, however, believed that RSA could stand alone. This disagree- 
ment triggered tension between the universities that went on for sev- 
eral years. It was (pardon the expression) a low-key dispute, since 
there wasn’t much money involved at the time. 

Even so, everyone felt that a dispute between two august institu- 
tions was unseemly, and finally the parties reached a compromise. 
Stanford bundled all its public key patents and sublicensed them to 
MIT. MIT in turn transferred those rights to RSA Data Security, Inc. 
This removed a huge cloud hanging over RSA, whose system really did 
depend on the original public key idea of Whit Diffie and Marty Hell- 
man. Now its software was not only fully covered by patent protection, 
but there was no question of infringing on the Stanford patent. 

While this was fine for RSA, it put Cylink at a disadvantage. Now if 
someone wanted to license public key crypto, they could go either to 
Cylink or to RSA Data Security. But only from RSA could they acquire 
the rights to the public key system created by its founders. This didn’t 
become a problem immediately, since the two companies were pursu- 
ing different customers. While both championed public key and 
were located within ten miles of each other, Cylink was, in Fougner’s 
words, “very insular, very inward . . . focused on our technology, on 
making a good product, on selling that product to a [limited, but] nice 
portfolio of customers.” On the other hand, RSA’s marketplace was 
the broader world of personal computing, with their eyes on a mass 
market. 
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Almost inevitably, though, the companies found themselves up 
against each other. Because of the way the patents were divided, each 
company had an interest in encouraging a certain approach to public 
key software — and disparaging the other approach. Because Cylink 
didn’t have access to MIT’s patents, it aggressively promoted the idea 
of using the Diffie-Hellman key exchange. Previously, people in the 
field had thought that, in a practical sense, the Stanford -derived work 
only provided for a way for two parties to agree upon secret keys; 
unlike RSA, it didn’t outline the means for a full and efficient public 
key cryptosystem. But Cylink believed that by cleverly using the Diffie- 
Hellman patents, users could do everything that RSA did, just as ele- 
gantly: privacy, authentication, the whole works. Jim Omura had 
written a paper about it in 1987. “You could use the Stanford patents 
to do the same thing as RSA,” says Omura. “I think this upset Jim Bid- 
zos because suddenly his technology wasn’t the unique technology.” 

“In order for RSA to succeed, it had to promote its software imple- 
mentations, which were really focused on the MIT software,” says 
Fougner. “And here was Cylink having obvious commercial success 
with the Stanford-type technology. There was going to be a fight, or 
there was going to be a business deal.” 

Fougner himself joined Cylink as counsel in 1989 specifically to 
deal with this issue. On his second day of work, he met with Jim Bid- 
zos. He had little idea what to expect. Would Bidzos, who already had 
gained a reputation within the budding industry as a pressure artist, 
play tough? Far from it. As Fougner recalls, Bidzos took pains to 
appear submissive, acting as if he were almost in awe of Cylink’s 
financial success. RSA, he told Fougner, was still struggling to keep its 
head above water: Cylink had nothing to worry about from RSA. On 
the other hand, both companies faced an uphill battle getting crypto 
established more widely. Both of them, Bidzos said, were evangelizing 
a technology that nobody understood, that nobody wanted to pay for. 
On top of that, here were the two top public key companies, each 
promoting a different implementation, and confusing the hell out of 
everybody! 

Let’s not fight each other, said Bidzos. Why not pool all the patents, 
work together, agree on a public key standard, and license the hell out 
of it? We’ll make a gazillion dollars! 

It made a lot of sense to Fougner. Why not join forces? For one 
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thing, he figured, it would probably make Stanford’s lawyers happy. 
They had long regretted granting MIT the sublicensing rights to its 
patents. By making RSA a one-stop shop for public key, Stanford had 
cut itself out of the loop! “The joke at Stanford,” says Fougner, “was 
that the MIT deal was often used in their seminars as an example of 
what not to do in patent licensing.” So Bidzos’s idea of putting all the 
patents in one pot (with the promise of more fees for the public key 
patents) sounded very attractive to the Stanford people, and they 
urged Cylink to go along with it. 

On October 1 7, 1 989 — the same day that an earthquake charting 
7.0 on the Richter scale rocked the Bay Area — the two companies and 
the two universities came to an understanding. (The formal contract 
was signed the following April.) The patents would all belong to a new 
corporation jointly owned by RSA and Cylink. Control of the new 
entity, called Public Key Partners (PKP), would be shared equally 
between the two parent firms. Bidzos, arguing that the MIT rights 
were worth more (RSA had already gained some access to Stanford’s 
patents whereas Cylink had no rights to use RSA’s technology), nego- 
tiated a favorable revenue split: 55-45 in his company’s favor. Mean- 
while the universities themselves got only a fraction of the potential 
cash: out of every dollar paid to PKP by sublicensees for patent rights, 
Stanford University would get nine cents and MIT would take in a lit- 
tle under fourteen cents. 

Omura recalls that after the partnership was established, Bidzos 
tried to get Cylink to downplay the idea that people could perform 
public key functions without the RSA algorithm. “He essentially said 
to me, ‘Now that we’re partners, I hope you’ll stop promoting the 
Diffie-Hellman approach and support RSA.’ ” Omura told him that 
his company would still use the alternative method, but didn’t see why 
that should be a problem. “It doesn’t matter what technology we use,” 
he said to Bidzos. “We’re partners.” 

“In 1990, who cared?” explains Fougner. “Within a couple of 
years, though, a lot of people cared.” 

Initially, the two executives of Public Key Partners, Fougner and 
Bidzos, worked well together. Technically, Fougner was head of 
licensing and Bidzos the president. But the bylaws dictated unanimous 
consent on any decisions. For Fougner, an unassuming corporate 
lawyer, teaming up with a swashbuckling deal-maker like Bidzos, the 
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enterprise was sort of a mad adventure. Two wild and crazy guys, try- 
ing to set a global standard for public key cryptography — and make 
tons of money for their respective companies. 

So enamored was Fougner of the idea that he tended to shrug off 
the almost immediate signs that in many ways the interests of RSA and 
Cylink remained divergent. The first order of business for PKP was to 
send a letter to the National Institute of Standards and Technology 
(NIST), the government agency that acted as the ultimate referee of 
what protocols the marketplace should agree upon as a standard. In 
large part, the success of the partnership between the two companies 
would depend on whether NIST adopted as standards the patents now 
jointly controlled by Bidzos and Fougner. There were actually several 
different cryptographic standards that NIST would have to approve: 
one for digital signatures, one for encryption, one for key exchange, 
and so on. Once these were determined, the crypto revolution would 
be poised for liftoff. All the software developers would know exactly 
which algorithms were required for privacy and authentication, and 
they would build them into their programs. All the programs would 
then interact with each other: once this got going, a user of Lotus 
would be able to send encrypted mail to someone using WordPerfect, 
and a Microsoft Word user could stamp a digital signature on his or 
her Intuit account ledger. It was a crucial step for a crypto society, and 
NIST knew it. 

The government decided to establish the digital signature 
technology as the first standard. Uh-oh. Cylink and RSA had different 
approaches to signatures, each one based on their separate public key 
religions: Stanford or MIT. Which one would PKP offer to the gov- 
ernment as its official candidate for a standard? Jim Bidzos had the 
answer: Let’s make this one RSA, he said. The Cylink people were 
unsure; after all, they’d been working on Diffie- Heilman signatures 
for six years. Bidzos had an answer to that: We’ll do RSA for signa- 
ture, and when it comes to a key-management standard (the means 
of handling and verifying the zillions of digital keys that a large-scale 
system would handle), we’ll do Diffie- Heilman. The Cylink people 
agreed. Public Key Partnership’s letter to NIST, under Fougner’s sig- 
nature, went out on April 20, just two weeks after PKP was formally 
established. It urged that the agency adopt the RSA scheme as a stan- 
dard. “Public Key Partners,” the letter said, “hereby gives its assurance 


174 | crypto 


that licenses to practice RSA signatures will be available under rea- 
sonable terms and conditions on a nondiscriminatory basis.” 

But when it came to digital signatures, the government had its own 
ideas. 


In the midst of all that wrangling, Jim Bidzos was still concerned with 
keeping his company afloat. He was now working on his biggest 
licensing deal yet — a broad arrangement with the most powerful soft- 
ware company on earth: Microsoft, the White Whale of high tech. For 
the previous few years, its wizards had become increasingly aware that 
their customers might need cryptography built into Microsoft prod- 
ucts. From the company headquarters in Redmond, Washington, its 
chief technical officer, Nathan Myhrvold, had begun to circulate 
memos on how crucial this would become. Myhrvold often invoked 
his grandmother, who lived in a small farm community where people 
left their doors unlocked: This was fine in an isolated setting where 
strangers were seldom seen, but simply would not do in an urban set- 
ting. It was the same with computers, he would say; they were moving 
from isolated, unconnected units on desktops to networked nodes in 
a large infrastructure. To protect everything from taxes to medical 
records, you needed locks, and Myhrvold understood that public key 
cryptography would provide those locks. 

Myhrvold had been in college when Martin Gardner’s Scientific 
American article about RSA appeared. “I thought it was infinitely 
cool,” he said, and the future physicist (who would study under 
Stephen Hawking at Cambridge University) devoured the RSA paper 
as well as the Diffie- Heilman paper that inspired it. A decade later, 
after a software company Myhrvold had started was bought out by 
Microsoft, he had become one of Bill Gates’s most trusted lieutenants. 
He was excited about his opportunity to help get public key into the 
mainstream. As was the case with Ray Ozzie and Lotus, he wound up 
dealing with the obvious person: Jim Bidzos. 

The Microsoft license was crucial to Bidzos. It would make his 
technology a security standard for the hundreds of millions of cus- 
tomers who used Microsoft’s DOS and Windows operating systems 
as well as its applications like the word-processor Word and the 
spreadsheet Excel. Nonetheless, Bidzos approached the negotiations 
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with his usual aggressiveness, boasting that, as the patent holder, he 
was the only game in town for crypto supplicants. Myhrvold wasn’t 
intimidated. If RSA is so great, he wanted to know, why isn’t anybody 
else using it? He conceded that public key systems may be inevitable, 
but joked with Bidzos that they might not catch on until the patents 
ran out toward the end of the century. 

Bidzos wasn’t fazed, and the negotiations proceeded — two major 
egos, each giving as good as he got. The issues were complicated 
because Microsoft wanted the right to modify the code of RSA’s crypto 
toolkits to suit their products. Inevitably, though, as Ray Ozzie had 
already learned, there was an even bigger hurdle facing all of them: the 
export laws. 

Anticipating that including crypto in its products would be prob- 
lematic, Microsoft had begun a dialogue with the NSA. Though 
cordial, the new relationship was uneasy. The first few times represen- 
tatives from Fort Meade ventured to the Redmond headquarters, they 
wouldn’t even reveal their last names; to get them building passes, 
Myhrvold had to go to the reception desk to approve badges with first 
names only. “They were reflexively secretive,” says Myhrvold, half 
amused and half annoyed. Worse, they never seemed to be explicit 
about what was and was not permitted. But they were vocal about one 
thing: RSA Data Security. They seemed to have it in for the company. 

Obviously, the NSA people did not relish the prospect of this 
upstart company providing a surveillance-proof shield to hundreds of 
millions of Microsoft customers. As Myhrvold tells it, they tried to 
turn him against Jim Bidzos and his company. Their method of dis- 
suasion was interesting. Without saying it outright, they began drop- 
ping broad hints that behind the Triple Fence, the cipher devised by 
Rivest, Shamir, and Adleman had already been broken. Myhrvold was 
worried about giving his customers reasonable security — if the gov- 
ernment could crack the code, why not a crook? — so he grilled Bidzos 
about the NSA’s claim. 

Bidzos was stunned: he’d felt the Microsoft deal was almost com- 
pleted. He sprang into action to refute the charges. “We contacted 
every number theorist, every mathematician, every researcher in this 
field we knew, and within twenty-four hours had gotten back,” he 
says. “[Microsoft was] blown away by what we had done and they said 
that obviously the charge isn’t true.” 
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Myhrvold’s recollection is different. He says that the refutation 
was superfluous: he always did believe the RSA algorithm was sound. 
But Myhrvold does say that he teased Bidzos by noting that no sys- 
tem short of a one-time pad could be provably impervious to crypt- 
analysis. Bidzos answered, quite reasonably, that one could trust a 
publicly published cipher — open to challenge from anyone in the 
community — more than one of the NSA’s secret algorithms. RSA’s 
future was totally linked to the strength of its codes, so it had every 
incentive to make sure those codes were strong. “If somebody breaks 
it,” Bidzos said, “what you’ve got are the remnants of a once-valuable 
company.” In any case, Bidzos convinced Myhrvold. To Myhrvold the 
NSA’s antipathy toward RSA was in a sense an endorsement: why 
would the agency want it stopped so much unless it was actually hard 
to break? 

But the NSA wasn’t through. According to Myhrvold, the agency 
made another eleventh-hour attempt to discourage Microsoft from 
licensing RSA, this time questioning the validity of the company’s 
patents. In addition, its people speculated that future government 
standards would not use RSA technology, and Microsoft might have 
an orphaned set of algorithms. Bidzos rushed back to Redmond to 
orchestrate a presentation that conclusively proved the solidity and 
breadth of his patent rights. 

According to Bidzos, the final NSA attempt at sabotaging the deal 
came when an agency official called Myhrvold and said, basically, 
“Don’t do it.” (Myhrvold says that he doesn’t recollect those words 
specifically, but confirms the NSA conveyed to Microsoft that it 
believed licensing RSA would be a mistake: a powerful disincentive for 
the software giant to link up with this unproven company.) 

Bidzos was furious. As he recollects now, he dialed up the highest 
ranking person he knew behind the Triple Fence and laid out what he 
had heard. Then, before his contact could utter a word in reply, he 
demanded that the official fix the problem and call Microsoft back to 
tell them that the agency had made a big mistake. “If that doesn’t 
work, you’re going to answer to the congressman in my district,” he 
said. “If that doesn’t work, you’re going to answer to a district attor- 
ney, because I’m going to file a complaint. If that doesn’t work, I’ll try 
the New York Times. But one way or another, if you don’t fix this, I’m 
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gonna make you answer for it.” Bidzos more or less expected his con- 
tact to deny everything, or at least insist that he knew nothing of the 
sabotage. Instead, Bidzos claims, the man said, “I’ll call them.” And, 
according to Bidzos, his contact called Microsoft and recanted. 

The path was now clear for a deal. One small point holding up the 
arrangement had been Bidzos’s insistence that Bill Gates personally 
sign the contract. Bidzos wanted to display that final page of the con- 
tract on his wall, and what would it look like without the John Han- 
cock of Microsoft’s famous CEO? By implying that Gates’s signature 
might be a problem, Myhrvold brags that he was able to get a few deal 
sweeteners from Bidzos. (But Bidzos got a sweetener, too — Gates’s 
presence at an RSA event.) 

A few days later, over Memorial Day weekend in 1991, Bidzos 
called Fougner to boast about the now-completed deal. Fougner 
recalls being blown away. “Jim, that’s amazing,” he said. “You got 
Microsoft to license your proprietary toolkit, and they’re going to put 
it in their operating system? That’s unbelievable! How did you do 
that?” 

“Salesmanship, Bob,” said Jim Bidzos. “I’m a great salesman.” 


Salesmanship or not, by early 1991, the future of the public key 
patents was very much in doubt because of the lack of a government 
endorsement. Bidzos was, of course, desperate to have RSA estab- 
lished as the standard. Early in the process, NIST, the arbiter of the 
process, had been enthusiastic about doing just that. RSA, wrote a 
senior scientist at the agency, was “a most versatile public key sys- 
tem.” Indeed, as late as December 1990, NIST was trying to convince 
Bidzos’s foe, the NSA — whose voice in the process was crucial — that 
the system should be adopted. Not only was it commercially effective, 
said its representatives in meetings with the intelligence agency, but 
there was no reasonable technical argument for anything else. 

But then progress stalled. None of the entreaties from Bidzos or 
Fougner to establish RSA as the standard seemed to have been effec- 
tive. And on August 30, 1991, it became clear why. The National 
Security Agency had devised its own scheme. 

Publishing in the Federal Register, NIST proposed a new set of 
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algorithms as the prime candidate for a standard. The government’s 
product, known as the Digital Signature Algorithm (DSA), was writ- 
ten by an NSA employee named David Kravitz. In many ways, it was 
similar to the RSA signature scheme. Both schemes employed a pub- 
lic-private key pair. In both, when Alice wishes to prepare a digitally 
signed message, she first applies an algorithm known as a hash func- 
tion, which boils the content down to a compressed “message digest.” 
(This, essentially, is the message boiled down to its essence, for easy 
processing.) Then, by way of a mathematical function that uses Alice’s 
unique private key, that message digest is scrambled, or “signed.” 
Both the original message and the digest are then sent off to Bob. 
When Bob — or anyone else — gets the message, he now has a way to 
verify that it was indeed Alice who sent it and that the message itself 
wasn’t tampered with in transit. He uses Alice’s public key to “unsign” 
the message and the digest. Then he uses the hash function to re- 
create Alice’s message from the digest. Only if the letter came from 
Alice and only if the content was unchanged would the re-creation 
match the original. 

The government method differed from RSA’s signature scheme in 
one profound way: its public-private key pair could be used only for 
authentication, not encryption. In other words, this was a public key 
system that couldn’t keep a secret. Thus it presented no threat to 
national security or law enforcement — literally, it was just what the 
government ordered. “Our underlying strategy,” an NIST official 
would testify to Congress, “was to develop encryption technologies 
that did not do damage to national security or law enforcement capa- 
bilities in this country. And our objective . . . was to come out with a 
technology that did signatures and nothing else very well.” 

But NIST, which originally looked favorably on adopting the RSA 
solution, came to adopt this objective only after pressure from Fort 
Meade. During the last months of 1990, the NSA had been pushing 
hard for its system, and in February 1991, its new director, General 
William O. Studeman, forced the issue, urging NIST to “cut short the 
debate and get on with the things that need to be done to provide 
the necessary protection.” At the next meeting of the two agencies’ 
joint technical working group, NIST representatives raised the white 
flag, and indicated that their management “has accepted the NSA’s 
proposal.” But when NIST publicly signed off on the NSA-created 
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algorithm in April, nothing was mentioned about the involvement of 
the secret intelligence agency. 

Bidzos wasn’t fooled, though, and was furious about the govern- 
ment’s choice of the DSA as its standard. He contended that the NSA 
had completely subverted the Commerce Department, the agency 
to which NIST belonged. Instead of helping American industry, he 
charged, the Commerce Department was now working against it, 
totally in service to the spooks. (This suspicion was later bolstered by 
a congressional investigation that led the House Government Opera- 
tions Committee to declare, “NSA is the wrong agency to be put in 
charge of this important program.”) The next step, Bidzos warned, 
would be the unveiling of an encryption standard that didn’t adopt the 
familiar algorithms — his algorithms! — but some new ones that the 
government could break. 

Bidzos had a lot of ammunition for his attack. In purely technical 
terms, it was clear that the DSA was inferior to RSA. It was, as one 
observer put it, “an oddball standard,” much slower to verify signa- 
tures than RSA’s system (though faster to sign messages), more diffi- 
cult to implement, and more complicated. And, of course, it didn’t 
have encryption. Unlike RSA, it had no track record. The govern- 
ment scheme did offer one advantage over RSA, however, something 
that Bidzos was hard-pressed to match. It was free. Indeed, in the 
August 30 announcement, the government had proclaimed its inten- 
tion to make its signature standard available worldwide on a royalty- 
free basis. 

Bidzos felt he could fight the proposed standard by way of a patent 
challenge. But that would not be easy. Public Key Partners, of course, 
controlled the Stanford patents that involved the first digital signa- 
tures. But the government claimed that its scheme bypassed those 
patents by relying on a different implementation of digital signatures, 
one designed by another Stanford cryptographer named Tehar ElGa- 
mal. A former student of Heilman’s, ElGamal had refined the idea of 
using the hash algorithm and the message digest for digital signatures. 
But ElGamal had made the mistake of publishing before applying for 
a patent (his paper had appeared in 1985), thus forfeiting his rights 
to a patent. So if the government’s claim was correct, the DSA was 
free and clear of any patent claims. 

Bidzos disagreed, but he understood that staking his claim would be 
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time-consuming and costly. Still, there was one other way to accuse the 
government of pilfering intellectual property. It involved yet another 
patent. 

This one was based on the work of a German cryptographer named 
Claus Schnorr, who’d patented his own digital signature scheme in 
February 1991. After hearing about the DSA, Schnorr insisted that it 
infringed upon his patent, and demanded $2 million from the United 
States. To many observers, this was overstepping: the conventional 
wisdom was that both Schnorr’s and Kravitz’s systems were variations 
of ElGamal’s work. Nonetheless, the government was concerned. In 
its own patent application, it took pains to assert that the ideas behind 
the DSA were independent of Schnorr. Still, Schnorr had at the least 
a “scarecrow” patent: a claim that might not prove to be defensible in 
a long, drawn-out lawsuit, but one that nonetheless gave its holder a 
plausible reason to attack a similar concept. As long as Schnorr was 
unhappy, the government had a problem. 

Bidzos saw this as a great opportunity. While the government 
dithered, he would try to add the German’s patent to the Public Key 
Partners portfolio. It would be like landing on Park Place after already 
owning Boardwalk: patent monopoly! Bidzos found out that Schnorr 
was attending a conference in Marseilles, so he flew there with 
Fougner in tow. They arranged to have lunch at a one of the fanciest 
restaurants in town. The meal lasted for hours, with multiple bottles 
of fine wine delivered to the table. Schnorr was in his midforties, a 
conservative scientist who was proud of his most recent triumph — 
winning the lucrative Leipzig Prize. Bidzos quickly figured out the way 
to handle him. “I talked to him like a coach would to a tennis player,” 
says Bidzos. “That he could do it himself, or he could let me negoti- 
ate his deals and manage his contracts and endorsements, so he could 
work on his game.” Fougner was impressed at the hard sell. “Bidzos 
regaled him with tales of his friendship with Bill Gates and his global 
vision of public key cryptography and the universe,” he says. 

The meal finally wound down, with the waiters standing around, 
anxious to clear this final table. They moved to a pub by the water- 
front. Fougner quickly sketched out on a piece of paper a transfer by 
which PKP would receive all rights from Schnorr’s patent. At the pub, 
in the shadow of a fifteenth-century galleon, Schnorr, whether capti- 
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vated by Bidzos’s promises of riches, or just plain exhausted, signed 
the paper. 

When Bidzos got back to the States, he had another in his endless 
series of meetings with NIST. His contacts were Dennis Branstad and 
Lyn McNulty, two computer scientists at the agency who were often 
caught between the demands of the public and those of their bosses. In 
hoping to resolve the government’s patent problems, they had been 
desperately urging NIST to buy the Schnorr patent. They also wanted 
to pay off RSA to clear up any alleged conflict with the Stanford 
patents, and they assumed the meeting would focus on such an offer. 
Instead, Bidzos began by declaring, “I represent Claus Schnorr and 
you’re infringing on my patent.” 

Bidzos was exultant. "I had never seen two guys look more tired,” 
he later boasted. 

Meanwhile, Bidzos was helping engineer opposition to the DSA 
on other fronts. As a response to the August 30 Federal Register 
announcement, NIST had received 109 comments on the scheme, the 
vast majority of them critical. Companies already using RSA, includ- 
ing Microsoft and Lotus, were unhappy that their investment in that 
scheme would be lost, and they would have to develop new software 
for the new standard. Other complaints dealt with the relatively lag- 
gardly computation rate of the DSA. Also, critics were concerned 
about the vulnerability of the scheme. Because the proposed standard 
used only 512-bit keys to calculate the signatures (RSA used 1024 
bits), there was a question about whether the powerful computers 
inside the Triple Fence might be able to churn out forgeries. How 
could anyone assert that a signature was valid beyond question when 
an intelligence agency had the potential to create counterfeits? To Ron 
Rivest, the whole thing was symbolic of the government’s policy in 
general: “What crypto policy should this country have?” he asked at 
a 1992 conference held in D.C. “Codes which are breakable or not?” 

Though the controversy never caused major debate within the gen- 
eral public, it did ignite some civil liberties groups, which had been 
closely watching the relationship between the NSA and NIST. In 
fact, the balance of power between the two agencies was risible — one 
was the flagship of our multibillion-dollar intelligence operation, the 
other a dime -store government backwater. While the liberals and the 
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libertarians hoped that the latter organization would protect the inter- 
ests of ordinary citizens, they had little confidence it would do so. 

Their fears were justified. A look at the prior history of the two 
organizations laid the blueprint for an imbalance of power. After the 
Church hearings in the seventies, the entire organization of the NSA 
had felt chastened. But in 1984, at the apex of Ronald Reagan’s presi- 
dential power, the NSA showed signs of reentering the realm of 
domestic policy. At the apparent behest of Fort Meade, Reagan issued 
a National Security Decision Directive intended to monitor informa- 
tion in databases — both in- and outside government — that fell into 
the vague category of “sensitive, but unclassified, government or 
government -derived information.” This caused a minor firestorm, 
and eventually, the NSA’s congressional nemesis, Representative Jack 
Brooks of Texas, gave the agency a tongue-lashing: “The basement of 
the White House and the back rooms of the Pentagon,” he said in a 
hearing, “are not places in which national policy should be devel- 
oped.” Eventually, the government backed down. 

The experience led some in Congress, urged by frantic lobbying 
from civil liberties groups, to create a law that would set boundaries 
for the government in the computer age. In what was an unusual 
act of independence from the demands of an intelligence agency, 
Congress in 1987 passed the Computer Security Act, which specifi- 
cally turned over the responsibility for securing the nation’s computer 
infrastructure — particularly in recommending the standards to which 
industry would adhere — from the NSA to the National Bureau of 
Standards (which was about to take on the higher -tech appellation of 
National Institute for Standards and Technology). 

Why did Congress flout the spooks? True, the civil liberties groups 
had lobbied hard. But more to the point, says Marc Rotenberg, who 
was then a staffer for Senator Patrick Leahy, “U.S. business didn’t 
particularly like the NSA setting the standards. The NSA’s concerns 
about computer security are not the concerns that businesses face — 
they weren’t worried about the Kremlin, they were worried about their 
competitors.” 

Bolstered by industry support, the lawmakers moved fast and the 
NSA was caught flat-footed. Not even an appearance by then-NSA 
director General William E. Odom could stop the bill. His complaint 
that shifting security responsibilities to the civilian agency would be an 
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unnecessary “duplication” of functions really missed the point: indus- 
try preferred that the Commerce Department, and not the spies, set 
standards for the national computer infrastructure. As one NSA offi- 
cial later wrote in a memo, “By the time we fully recognized the impli- 
cations . . . [Brooks] had it orchestrated for a unanimous -consent 
voice-vote passage.” 

Of course, The Fort was not shut totally out of the process of secur- 
ing the nation’s computers. As the undisputed world capital of crypto, 
it had invaluable expertise in computer security, and Congress out- 
lined an advisory role for Fort Meade to NIST. The question was, how 
would the two work together? In negotiations to determine that, the 
NSA sat across the table from the acting director of NIST, a bureau- 
crat named Raymond Kammer. Not only was Kammer sympathetic 
to the National Security Agency, he was actually the son of two of 
its veterans! The official Memorandum of Understanding reached 
between the two agencies did preserve the concept that NIST would 
take the lead in establishing standards, but formalized an NSA role as 
well. In “all matters related to cryptographic algorithms and crypto- 
graphic techniques,” said the memo, NIST would solicit the NSA’s 
help. To implement this, the two agencies would work through a 
“technical working group.” Though NIST was supposedly in charge 
of the process, it would not hold a majority presence in the group, 
which consisted of three people from each agency. 

Though both agencies insisted that NIST was really in the driver’s 
seat, skeptics suspected otherwise. Even with its zippy new name, 
NIST was the nerdy Mr. Peepers of government agencies, suddenly 
thrust into the center of a huge political and national security battle. 
At least one high-ranking official of the agency later admitted that 
NIST not only hadn’t sought the powers granted by the Security Act, 
but it didn’t want them once the bill was passed. “It put us in charge 
of what we didn’t want to be in charge of,” he says. 

The skirmishes over the digital signature standard seemed the 
ultimate proof that NIST was pretty much Fort Meade’s stooge. In 
the years to follow, investigations would bear this out; one General 
Accounting Office report concluded that, contrary to congressional 
intent, “NIST follows NSA’s lead in developing certain cryptographic 
standards.” Declassified documents outlining the discussions in 
the monthly meetings of the two agencies’ technical working group 
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clearly illustrated this. At every step, the NIST people seemed to be 
waiting for the NSA’s verdict on the signature issue. 

Even NIST’s own oversight group, the Computer System Security 
and Privacy Advisory Board, had serious problems with the relation- 
ship between the two agencies. In March 1992, it determined that “a 
national-level public review of the positive and negative implications 
of the widespread use of public and private key cryptography is 
required.” But the NSA wanted no part of a discussion or review, and 
squelched that idea. In a classified memo, the new NSA head, Admi- 
ral Mike McConnell, put it bluntly: “The National Security Agency 
has serious reservations about a public debate on cryptography.” 

Still, the government was beginning to feel some heat. Once again, 
Representative Jack Brooks held hearings. They featured scorching 
testimony by the NSA’s critics. Nathan Myhrvold of Microsoft testified 
that “the government’s late publication of its proposed signature stan- 
dard, together with its serious technical flaws . . . made it impossible 
for the computer industry to adopt the government standard for com- 
mercial use.” Addison Fischer, an early RSA Data Security investor 
who used the company’s algorithms in the mainframe computer prod- 
ucts of his eponymous company, invoked a powerful metaphor that 
would reappear in crypto debates to come: “Cryptography, especially 
public key cryptography, is entering the mainstream,” he said. “It is 
simply another of a long line of technological genies which is exceed- 
ingly useful, and which cannot be put back into the bottle — even if 
there may be some unpleasant side effects.” 

All of this criticism, of course, was music to Jim Bidzos’s ears. 
While he had become a crusader for the free rein of crypto, his main 
goal had always been strengthening his company. If the pressure on 
the government continued — and he kept threatening to exercise the 
Schnorr patent to fight the government’s candidate — he figured that 
eventually the standards process might go his way, and RSA tech- 
nology would at least win approval as the official digital signature 
standard. 

And then, astonishingly, the feds caved. Or at least seemed to. 

As Bidzos tells it, the government finally concluded that its own 
standard would fail not on crypto grounds but on patent grounds. At 
a June 1993 meeting at the Commerce Department, a NIST lawyer 
said the words Bidzos longed to hear: “We want to work with you.” 
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While Bidzos and his attorneys sat stunned, the official continued. 
“Why don’t you make us a proposal for a licensing situation if you 
want to be compensated? ” 

Bidzos said he would get back to them in writing. And a ne- 
gotiation began, with the government offering an amazing financial 
concession to Public Key Partners: an exclusive patent on the govern- 
ment’s algorithm, the DSA. The United States would use the DSA as 
its standard, and would pay PKP a royalty fee. It was estimated that 
this could be as high as a dollar a user. Since millions of dollars would 
potentially come from this — every citizen would use this standard to 
communicate with the government, in everything from making con- 
tracts to filing IRS returns — there was a huge incentive for Bidzos to 
accept. So he did. In this sense, he was acting on behalf of his com- 
pany’s bottom line and against the interests of the general public. After 
all, his company would now be party to the use of the NSA’s product 
as a standard, an algorithm Bidzos himself had gleefully trashed in 
public. 

Some people began to question whether RSA’s strategy of protect- 
ing crypto by patents was itself a path that retarded the progress of 
computer privacy. Maybe Bidzos was in league with the spooks. After 
all, as one observer noted, “One of the purposes of the patent system 
is to cause technology to be exploited. . . . Public key cryptography 
was invented almost twenty years ago, and yet is not yet in widespread 
use. A visit to the supermarket checkout counter reveals no digital sig- 
natures. Why not?” 

But the deal would never be closed. In its haste to eliminate a nasty 
patent battle, the government underestimated the outrage that would 
come from its abandoning a commitment to make the algorithm 
royalty-free. When the government solicited comment on the deal, the 
criticism was withering. Critics called it a $2 billion giveaway to Public 
Key Partners. The Canadian government and the European Commis- 
sion indicated that they wouldn’t pay the royalties, and to hell with the 
patents claimed by the United States government. It was a revolt that 
the government didn’t need. So NIST reneged on its offer to Bidzos, 
and reaffirmed that whatever standard it chose, it would be royalty 
free. And so, once again, it was back to square one on the digital 
signature standard. 

Bidzos was philosophical about the turnaround. He did regret 
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losing all that potential cash. But with the plan killed, Bidzos could 
once again take the side of the angels, a foe of a government that 
wanted to crush individual privacy, even if it meant impoverishing 
American software companies. 

In any case, the bickering over the signature standard was to con- 
tinue for another year. It wasn’t until October 1994 that NIST finally 
made its choice. It chose to dismiss the patent issue, ignore the over- 
whelmingly negative public response, and endorse the DSA as its 
own candidate as the official standard for digital signatures. “NIST 
reviewed all the asserted patents and concluded that none of them 
would be infringed,” it stated in a fact sheet. (To assure those who still 
had qualms, the agency took the extraordinary step of assuming lia- 
bility for anyone using the standard who might later be sued for patent 
infringement.) While NIST made some beneficial technical changes 
from its original proposal, most notably extending the key length from 
512 to 1024 bits, essentially the result was an authentication system 
created in secret by the government intelligence agency, one that vir- 
tually no one in industry had found attractive enough to adopt. This 
instead of a system already implemented by Microsoft, Apple, IBM, 
and Novell. Is it any wonder that years later, the digital signature stan- 
dard would still be an orphan — and that in the midst of an electronic 
boom, there would exist no universal means of authenticating e-mail? 

The funny thing is, as NIST scientist Lyn McNulty later said, “We 
thought that the digital signature would be the easy one.” But as con- 
tentious as it was, the battle over signatures was only a warm-up for 
the main event in the cryptography war: the war over encryption. 
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UJ hen Phil Zimmermann began his cryptography adventure, he had 
no idea that he would end up both hailed as a folk hero and investi- 
gated for violations of federal law. He acted out of scientific curiosity, 
a hobbyist’s passion, and a bit of political paranoia. Born in 1954, and 
raised in various Florida towns, he was a self-described nerd, “not 
naturally a party guy.” An odd, awkward duck. His father was a truck 
driver; both parents were alcoholics. He wanted to be an astronomer. 
In the fourth grade, though, he became captivated by codes. A Satur- 
day afternoon Miami television show called M.T. Graves and the 
Dungeon had a kids’ club. Members were sold a physical “key” to 
unscramble a secret code. During the show, a series of numbers were 
flashed on the screen and club members could use the key to translate 
them into magical, clear messages. Zimmermann never sent in the 
money to buy the key, but he jotted down the numbers anyway — and 
managed to decode them into plaintext. To an only child in a troubled 
family, transforming such gibberish into something familiar gave a 
sense of mastery, of belonging. A sense of an organized home. 

No wonder Zimmermann sought to learn more about ciphers. He 
found a book by children’s author Herbert S. Zim called Codes and 
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Secret Writing. Published by Scholastic and directed at ten- to twelve - 
year-olds, this thin volume straightforwardly conveyed the excitement 
of cryptography, almost as if its author were a senior intelligence 
executive instructing a bright, though green, recruit. “The idea of this 
book is not to give you codes to copy but to help you invent your own 
codes — not one or two but, if you like, hundreds of codes,” wrote 
Zim. “How you use your knowledge of codes is, of course, up to you.” 

The book became Zimmermann’s Bible. He faithfully attempted all 
its exercises, such as making invisible ink out of lemon juice, creating 
original ciphers, and, of course, cracking the encoded messages pre- 
sented in the book. A couple of years later, in junior high, a friend 
boasted of a code he’d made up and Zimmermann accepted the chal- 
lenge of breaking it. “Make sure it’s a long message,” Zimmermann 
told the kid, who complied, foolishly thinking that a longer message 
would be harder to crack. The message was written in runic-style sym- 
bols, vaguely evocative of the languages of Tolkien’s Middle Earth. 
Zimmermann did a frequency analysis, an elementary technique of 
cryptanalysis that simply involves counting how often alphabetic let- 
ters appear. This enabled him to solve it like a garden-variety cryp- 
togram. All to the amazement of his buddy. 

His interest in codes waned during his teenage years, and it wasn’t 
until he was in college, at Florida Atlantic University, that Zimmer- 
mann realized computers could be cryptographic tools. Though he 
was majoring in physics, he wound up spending a lot of time in the 
computer room, at first doing course-related work, but eventually just 
drinking in the elixir of programming itself. The appeal was creating 
one’s own world in the machine. “You could interact with something 
that wasn’t a living thing but seemed to be like one,” he says. Best of 
all, he was good at it, in contrast to his physics abilities. His nemesis: 
calculus. 

Though he began programming his first week at college in 1972, he 
didn’t actually see a real computer for a year, because his school only 
had terminals connected to distant machines. After all, Florida Atlantic 
wasn’t MIT or Stanford. Not even a big state school. Zimmermann 
became a student assistant, teaching others to use the terminals. And 
after his second year, he dropped physics for computer science. 

He rediscovered his passion for ciphers in that computer room. 
One of his experiments involved writing his own secret code, using the 
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now- antiquated FORTRAN computer language. His scheme used 
random number functions to substitute each character in a plaintext 
message with a different character. The random number function was 
keyed with a password. Because his code couldn’t be broken by fre- 
quency analysis (the randomizing function would change a “t” early 
in the message to one thing and subsequent “t’s” to different charac- 
ters), Zimmermann figured that not even the CIA could break it. He’d 
never imagined techniques like chosen plaintext attacks, or decon- 
structing random number generators. (And he’d never heard of the 
NSA.) As it was, years later he would encounter that same “unbreak- 
able” cipher, presented in a student homework assignment as a cipher 
that could be easily broken with basic cryptanalytic techniques. “So 
much for my brilliant scheme,” he says. 

In the summer of 1977, with only one course to go before gradua- 
tion and already employed at a minicomputer company in Fort Lau- 
derdale, Zimmermann came across the Mathematical Recreations 
column of Scientific American, and found something that blew his 
mind. It was, of course, Martin Gardner’s description of public key 
and the RSA algorithm. He was hungry to know more. Out of the 
blue, he called Ron Rivest at MIT and asked him about the possibili- 
ties of implementing the system on a computer. Rivest told him that 
in the course of experimenting, the MIT group had already done that 
in LISP, a tony computer language used for artificial intelligence work. 
“That’s out of my reach,” said a disappointed Zimmermann, who had 
never had access to the flashy LISP machines; they were luxury items 
costing $100,000 and geared for research, not practical tasks like 
accounting. Though high-level arithmetic wasn’t his strong point, 
Zimmermann understood that the odds of getting a LISP box at 
Florida Atlantic University approached infinity to one. He wondered, 
however, whether he could do RSA on one of those cheap new micro- 
computers. That would be different. Zimmermann had a partial share 
in one of the clunky low-cost machines of the time — it ran on a Zylog 
Z-80 processor, sort of the Model A of the mid-1970s. But as he 
thought about implementing RSA, he realized that he had little idea of 
how to do some of the extended arithmetic routines explained in the 
MIT paper. So he didn’t try. 

There were other things happening in Phil Zimmermann’ s life then. 
The same year he discovered RSA, he married his girlfriend Kacie 
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Cavenaugh, who worked on the college switchboard. Not long after- 
ward, the young couple visited friends in Boulder, Colorado, and fell 
in love with the area. Zimmermann returned to his Florida job but 
began planning for a move, and a year later he and Kacie packed up 
their Volkswagen Rabbit and drove to the Rockies. He got a job at a 
software company making workstation word processors, and began 
raising a family: their son was born in 1980. And then he heard Daniel 
Ellsberg speak at a nuclear freeze rally in Denver. 

In high school, Phil Zimmermann had pretty much ignored Viet- 
nam, but at Florida Atlantic he had come to adopt a passive but heart- 
felt antigovernment stance. The Nixon scandals had opened his eyes 
to how brazenly the government could lie. By the time of Ronald Rea- 
gan’s presidency, he had totally soured on politics. He read Robert 
Scheer’s With Enough Shovels, and worried about nuclear annihilation. 
Zimmermann and his wife decided to move to New Zealand, the bet- 
ter to avoid the coming holocaust. They went so far as to acquire pass- 
ports and immigration papers. (He had yet to learn that there wasn’t 
much of a computer industry in New Zealand.) And then he attended 
the 1 982 rally where he heard Ellsberg, who, after his famous moment 
as the emancipator of the Pentagon Papers, had become a leading 
antinuclear activist. Zimmermann was galvanized. From that point on, 
he forgot about emigrating and decided to become active himself — to 
stay and fight. 

He and some friends were starting a company they called Meta- 
morphic Systems, and they planned to produce a circuit board for 
Apple computers that would run Intel-compatible programs. But Zim- 
mermann still found time to dig into every book he could find on 
NATO policy, weapon systems, and the like. He would spend hun- 
dreds of dollars at a bookstore and tear through the volumes. Then he 
began teaching military policy at the Free University in Boulder. He 
spoke at nuclear freeze rallies and advised a couple of candidates for 
Congress. Twice he was arrested at rallies, once at the Nevada nuclear 
testing range, alongside his heroes Ellsberg and Carl Sagan. (Neither 
arrest resulted in any charges filed.) 

But as the eighties moved on, the nuclear freeze movement seemed 
to lose steam. Metamorphic Systems wasn’t doing well either: once 
the IBM PC became dominant, the idea of putting Intel processors 
into Apple II computers seemed kind of ridiculous. Zimmermann 
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himself was a bit lost. But then, everything changed with a single 
phone call from a programmer in Arkansas who had a scheme few 
people could appreciate more than Phil Zimmermann. 

The guy’s name was Charlie Merritt, and it turned out that he was 
actually doing the thing that Zimmermann had dreamed of since read- 
ing Martin Gardner’s column in 1977: he was implementing an RSA 
public key cryptosystem on a microcomputer. Merritt had experienced 
a similar reaction to Zimmermann’ s when he’d read about the work of 
the MIT researchers. Moving from his native Houston to Fayetteville, 
Arkansas, he started a company with several friends and they actually 
managed to create a public key program running on Z-80 computers. 
It ran very slowly, but it worked. But no one seemed to want to buy it. 
After a while, his friends dropped out, and Merritt, with his wife Hob- 
bit, began selling the program themselves. Eventually news of their 
tiny enterprise reached the multibillion -dollar intelligence operation 
in Fort Meade. Periodically the NSA would send its representatives 
to Arkansas to warn Merritt of the dire consequences that might en- 
sue if he sent any encryption packages out of the country. Since 
Merritt Software’s customers were largely overseas companies that 
wanted encryption to circumvent the peeping thugs of corrupt re- 
gimes, this restriction virtually shut the company down. To try to get 
some domestic leads, Merritt was reduced to calling obscure compa- 
nies he’d read about in computer magazines, hoping they would pack- 
age his program with their stuff. That was how he found Metamorphic 
and Phil Zimmermann. 

When Zimmermann heard what Merritt was up to, his excitement 
was so over the top that Merritt suspected a practical joke was being 
played on him: no one he’d ever met had been so nuts about encryp- 
tion. Zimmermann told Merritt all about his own passion for crypto, 
about M. T. Graves and the Dungeon and Herbert Zim and Ron Rivest. 
He professed his hatred for Big Brother. But mostly, he wanted to 
know everything Merritt had learned about making RSA work on a 
personal computer. 

Now that he knew it was possible to do so, Zimmermann became 
driven to write his own public key encryption program — for the peo- 
ple. Whereas his previous efforts in crypto had been solely performed 
as neat hacks, and as an expression of his passion for codes in gen- 
eral, he now was a sophisticated political activist who had twice been 
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dragged off to a holding pen for asserting his opinion. He now under- 
stood that in the computer age, government had an extremely power- 
ful tool for monitoring dissent: electronic surveillance. Not only could 
Big Brother types stick their collective ear into phone conversations, 
but they could pluck the increasingly popular e-mail messages out of 
the digital ether and read business plans and shameful secrets to their 
black, black hearts’ content. While electronic mail was a terrific thing, 
it actually represented a step backward in privacy: even with relatively 
insecure physical mail, people had sealed envelopes to protect the pri- 
vacy of their messages. What Zimmermann hoped to produce was the 
electronic equivalent to sealed envelopes. But if you gave people a 
crypto program to protect e-mail, you’d have something much better 
than sealed envelopes. If people all agreed to use it, he thought, it 
would be a form of solidarity, a mass movement to resist unwanted 
snooping. Right on, baby! 

Understanding the speed limitations of public key, Zimmermann fig- 
ured that his program should be a hybrid cryptosystem, using the slow 
public key RSA protocols to exchange keys and some other, speedier 
algorithm to perform the bulk encryption of the actual message. He 
was unaware of Lotus Notes, which was already implementing such a 
hybrid system, and was certainly in the dark about RSA Data Security, 
Inc., which was going to base an entire business on licensing pub- 
lic key for the kind of systems Zimmermann thought he was himself 
pioneering. (Neither did Zimmermann have a clue about the RSA 
patents.) In any case, neither of those firms had a shipping product 
in 1984. 

Zimmermann did understand several things correctly: A useful pro- 
gram should run not just on a single brand of computer, but on all 
sorts of machines. To do this, it had to be written in a computer lan- 
guage that was amenable to all sorts of different processors, and as 
any programmer knew, the language that best satisfied that require- 
ment was called C. Fortunately, Zimmermann knew C inside out. The 
program also had to be easy to use. And its circulation had to be so 
widespread that a near-ubiquity could quickly be realized. Thus it 
would benefit by the Network Effect. 

Charlie Merritt was a holdout who still hadn’t tackled C, but he was 
strong in an area where Zimmermann was sadly deficient: the compli- 
cated mathematics that enabled one to work with the huge numbers 


crypto anarchy | 193 


required by RSA. This was particularly important in implementing 
RSA on a personal computer, which used 8-bit “words” in its calcula- 
tions: it was a challenging process to apply those relatively small num- 
bers in a way that could process the mighty numbers that RSA 
demanded — 512 bits, 1028 bits, and even more. If you didn’t do it 
efficiently, the program would run so slowly that no one would ever 
use it. 

Though no immediate business deal came of Merritt’s call to Meta- 
morphic, he and Zimmermann became constant telephone corre- 
spondents, with Zimmermann soliciting all of Merritt’s knowledge of 
multiprecision arithmetic functions. It was such a complicated process 
that eventually they decided that Merritt should come to visit Zim- 
mermann in Boulder for a sort of arithmetic boot camp, in Novem- 
ber 1986. 

It was an action-packed week, and not only because of the math 
that Zimmermann learned. Merritt was working on a project for the 
navy, producing a conventional cipher; he taught it to the younger 
man. The project had been subcontracted to Merritt by a company for 
whom he’d been consulting: RSA Data Security. Before he flew to 
Boulder, he’d called the company’s new president to ask if they might 
meet in Colorado, a place that was a sight easier to get to than Fayette- 
ville, Arkansas. Jim Bidzos agreed. 

Bidzos had been looking forward to a testosterone -charged get-to- 
know-you dinner with Merritt — two guys in a steak house lighting 
cigars and swapping lies. Instead he found a third wheel was included, 
Zimmermann. And instead of a steak house, they wound up at The 
Good Earth, a brightly lit emporium of salads and grains. 

The actual conversation at the restaurant would become a matter of 
dispute. Jim Bidzos later said he had been startled when Phil Zim- 
mermann spoke of his plan to create a program that used RSA’s pro- 
prietary protocols. In fact, RSA had a similar program, and Bidzos had 
brought along two copies. This was Mailsafe, written by Rivest and 
Adleman, two guys who by now had more math and cryptography 
knowledge in their little fingers than Zimmermann had managed to 
glean from Merritt in two years. Zimmermann, however, would claim 
that Bidzos was impressed with his plans, so much so that he offered 
the programmer a free license to the RSA algorithm. Bidzos would 
later vociferously deny making any such offer. 
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In any case, Zimmermann saw no reason to change his own plans, 
and he spent the next few years furthering his didactic education on 
cryptography so he could complete his own encryption program. He 
wrote up some of his ideas in a paper that was published, to his pride, 
in IEEE Computer, a well-regarded computer-science journal. Not 
bad for a kid from Florida Atlantic University. 

Then he began working on the actual program. One crucial step 
was producing the bulk encryption algorithm that would perform 
the actual encoding of message content. Eschewing DES and the 
RSA- owned RC-2 standard devised by Ron Rivest, he attempted the 
risky course of producing his own cipher. It was based on the one that 
Charlie Merritt had taught him, the cipher Merritt had produced for 
the navy. But Zimmermann toughened the system by introducing mul- 
tiple rounds of substitution. As he refined his concept, he recalled a 
Dan Aykroyd routine from the original Saturday Night Live television 
show. Portraying a fast-talking late-night huckster, Aykroyd hawked a 
blender so powerful that you could throw a fish into it: the liquefied 
output would be a healthy juice (yum). This was the Bass-O-Matic, 
a perfect name, Zimmermann figured, for an encryption algorithm. 
Any cryptanalyst who confronted his scrambled messages would be as 
ineffectual at reconstructing them, he hoped, as someone attempting 
to reconstitute a silvery, flopping fish from the noxious goo emerging 
from the Bass-O-Matic blender. 

Zimmermann went on to other problems, and pieces fell into 
place — message digests, interface, and a range of protocols. But after 
months and months of work, all he really had were separate compo- 
nents that still weren’t tied together into a working program. “It took 
a lot more work to put them together,” he says. By 1990 — six years 
after first talking to Charlie Merritt and four years since Merritt’s visit 
to Boulder — Zimmermann realized that in order to finish he would 
have to make a total gung-ho commitment, even if it meant having to 
tighten his budget, cut out the consulting, and spend less time with his 
family. He embarked on a full-time regimen of programming. 

Zimmermann had dreamed up a name for his work in progress, 
though not one as irreverent as Bass-O-Matic. Zimmermann had been 
an early devotee of the Macintosh computer, and had experimented 
with a simple data communications program when none had existed. 
Thinking of “Ralph’s Pretty Good Grocery,” an imaginary sponsor 
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from Garrison Keillor’s A Prairie Home Companion radio show, he had 
called it “Pretty Good Terminal.” This gave him the idea for the name 
of his crypto program: Pretty Good Privacy. He never really considered 
that it might become a major brand name. But then, his marketing 
plans were vague. He did hope to make some money selling PGP, but 
figured on a modest amount using shareware rules, where people 
would download the program and pay him on the honor system. 

For the next six months, Zimmermann worked twelve-hour days in 
a bedroom of his house, which he almost lost because he didn’t have 
the money to make the mortgage payments. Maybe, he figured, if he 
finally finished PGP and released it, enough users would send him 
money to get him back on his feet. As the software got closer to com- 
pletion, he called Jim Bidzos to see if they could finally clear up the 
intellectual property issue that the RSA chief had brought up during 
that ill-fated dinner. Zimmermann explained his product and asked 
for a go-ahead to use the RSA algorithm. Bidzos was appalled at the 
request: this guy thinks we’ll just give him our crown jewels? Maybe 
instead of asking for handouts, he suggested, Zimmermann should 
develop his product for some company rich enough to get a standard 
RSA license. 

The whole conversation was so out of line with Zimmermann’ s 
vision for his product — and the dim view he took of the high-powered 
business world — that he basically ignored the whole problem and went 
back to work. 

By early 1991, Zim mermann was making progress toward a work- 
ing product. Then something happened to change his course — and to 
make PGP famous. The unlikely agent in this shift was U.S. Senator 
Joseph Biden, the head of the Senate Judiciary Committee and a 
cosponsor of pending antiterrorist legislation, Senate Bill 266. In a 
draft of the bill introduced on January 24, Biden inserted some new 
language: 

It is the sense of Congress that providers of electronic com- 
munications services and manufacturers of electronic 
communications service equipment shall ensure that com- 
munications systems permit the government to obtain the 
plaintext contents of voice, data, and other communications 
when appropriately authorized by law. [Emphasis added.] 
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A poison needle in a haystack of clauses and qualifications, this pas- 
sage originally escaped scrutiny. But its appearance was no accident. 
The language of the bill had been forged with the help of law enforce- 
ment agencies. That sentence was included at the explicit request of 
the FBI. And what a sentence it was! It plunged a virtual dagger into 
the heart of the crypto revolution. How could tech companies and ser- 
vices promise to deliver the plaintext contents of encrypted texts — the 
original messages meant to be read only by their intended recipients — 
if people scrambled them with programs like Mailsafe, Lotus Notes, 
and PGP? Logically, the only way that the “sense of Congress” could 
be satisfied would be a ban on any encryption except that equipped 
with “trapdoors” that the manufacturers and services could flip open 
at the demand of the feds. 

It wasn’t until April 1991, however, that the crypto community 
itself learned of this legislative time bomb. A consultant who had done 
work for the NSA revealed the offending clause on various Inter- 
net bulletin boards, along with apocalyptic commentary: “Are there 
readers of this list that believe that providers of electronic commu- 
nications services can reserve to themselves the ability to read all 
the traffic and still keep the traffic ‘confidential’ in any meaningful 
sense? . . . Any assertion that all use of any such trapdoors would be 
only ‘when appropriately authorized by law’ is absurd on its face. . . . 
Any such mechanism would be subject to abuse.” The message ended 
with a warning that would galvanize Phil Zimmermann: “I suggest 
you begin to stock up on crypto gear while you can still get it.” 

To Zimmermann, S. 266 was the ultimate deadline. If he didn’t get 
PGP out into the world now, the government might prevent its very 
existence. At least for the time being, domestic crypto was legal. So 
Zimmermann decided to finish up the first version of PGP quickly and 
get it out to as many people as possible. He also gave up his financial 
hopes for PGP. Instead of releasing it as shareware, he designated it 
“freeware.” This meant not only that the software didn’t cost anything, 
but also that users could themselves distribute it far and wide to oth- 
ers with the blessing of its creator. 

Fortunately, a medium existed that made it easier than in any time 
in history to circulate an encryption system like PGP: the Internet. 
In 1991, the formerly government -owned computer network was just 
beginning its meteoric rise to ubiquity. Thousands of discussion 
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groups abounded, and millions of files were downloaded every day. 
The majority of users at the time did not yet reflect the public at 
large — most were very computer savvy, and a lot of them were out- 
right nerds. But these were exactly the types of people who would 
respond to PGP, which, despite Zimmermann’s best efforts, was still 
not as easy to use as Mac Write or Tetris. 

Oddly, at that time, Zimmermann himself was not much of an 
Internet devotee. He hardly knew how to use e-mail. In this sense he 
was still the outsider looking in. But in recent months he had begun a 
correspondence with a fellow crypto enthusiast in California, Kelly 
Goen, whom he had met through Charlie Merritt. In the month after 
the on-line call to action about S. 266, Zimmermann apparently gave 
Goen a copy of his PGP software so that it could be spread on the 
Internet “like dandelion seeds,” Zimmermann later wrote. On May 24 
Goen e-mailed Jim Warren, a computer activist and columnist for 
MicroTimes, a Bay Area computer -oriented newspaper, and explained 
the purpose of flooding the networks with PGP. “The intent here,” 
wrote Goen, “is to invalidate the so-called trapdoor provision of 
the new Senate bill coming down the pike before it makes it into 
law.” In other words, if thousands of copies of PGP were in use, Sen- 
ate Bill 266 would be rendered irrelevant; when confronted with 
PGP-encrypted files, the AT&Ts of the world would not be able to 
guarantee plaintext to G-men or spooks. 

On the first weekend in June, Jim Warren got a series of calls from 
Goen, who told him that PGP day had arrived. Goen was obviously 
intoxicated with the drama of it all, taking precautions that were more 
from the book of Maxwell Smart than James Bond. “He was driving 
around the Bay Area with a laptop, acoustic coupler, and cellular 
phone,” Warren later wrote in MicroTimes. “He would stop at a pay 
phone, upload a number of copies for a few minutes, then disconnect 
and rush off to another phone miles away. He said he wanted to get 
as many copies scattered as widely as possible around the nation 
before the government could get an injunction and stop him.” 

Apparently, Goen was also careful to upload only to Internet sites 
inside the United States. Of course, once a software program appears 
on a file server, anyone in the world can download it: Pakistani hack- 
ers, Iraqi terrorists, Bulgarian freedom fighters, Swiss adulterers, Japa- 
nese high schoolers, French businessmen, Dutch child pornographers, 
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Norwegian privacy nuts, or Colombian drug dealers. Though not yet 
a cliche, an Internet slogan was already becoming a familiar refrain: 
On the Information Highway, borders are just speed bumps. 

How quickly did PGP leave the United States and find its way over- 
seas, without as much as a howdy-do to the export laws? Instantly. 
Zimmermann would later marvel at hearing that the very next day 
people in other countries were encrypting messages with PGP. How 
could Zimmermann have avoided this potentially illegal passage of his 
program to distant shores? “I could have not released it at all,” he later 
said. “But there’s no law against Americans having strong cryptogra- 
phy.” And, after all, Phil Zimmermann engineered his sudden release 
of PGP not to circumvent export laws, but to arm his countrymen, the 
people who might be affected by Senate Bill 266. His motto, as 
expressed in his documentation to the program, was “When crypto is 
outlawed, only outlaws will have crypto.” 

Ironically, Joseph Biden’s offending language, the impetus for Zim- 
mermann’s extraordinary step, met a much less enthusiastic response 
than PGP did. Senator Biden had been taken by surprise at the huge 
expression of public outrage (fueled by civil liberties groups) at the 
stealth antiprivacy language he had introduced. By June, he had 
quietly withdrawn the clause. But the incident left an unexpected 
legacy: hundreds of thousands of PGP-encrypted messages circulating 
throughout the world. Pretty Good Privacy had escaped from Phil 
Zimmermann’s hard drive and had now been cloned countless times. 
He could no more recall it than one could take back one’s words after 
they were uttered. 

Zimmermann was proud of PGP 1 .0 though defensive at its short- 
comings. Maybe it didn’t introduce any mathematical innovations. And 
maybe the coding was so disorganized that he felt compelled to apolo- 
gize for it in the documentation. But it was one of the first really usable 
personal computer solutions for a complete cryptosystem, from digital 
signatures to encryption. “If you look at what was available at that 
time, there were only laboratory petri -dish versions of RSA,” he says. 
“One had been published in Byte; it took all afternoon to do an RSA 
calculation. Mine did that in a few seconds. I had brought together a 
practical implementation that had all the things you needed to do pub- 
lic key cryptography. It was a major event ... it was a watershed 
event.” 
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One person disagreed strongly: Jim Bidzos of RSA and Public Key 
Partners. When he saw PGP, he was outraged. This was no original 
product, he felt — look at Mailsafe — but a blatant rip-off of his com- 
pany’s technology and patents. Why didn’t Zimmermann get honest 
and call it Pretty Good Piracy ? Bidzos called the Colorado program- 
mer and, literally screaming at him, demanded he remove the software 
from circulation. Despite all Bidzos’s previous animosity, Zimmermann 
was actually taken aback at this response: “I thought he would be 
delighted,” he says. He attempted to defend himself. He had done PGP 
for political reasons, not to challenge any commercial enterprises. After 
all, the Fortune 500 companies that were RSA’s potential customers 
don’t use freeware; they buy their software from companies that will 
back it up and support it. So what was the problem? 

Bidzos accused him of actually playing into the NSA’s hands — 
because anything that hurt his company was music to Fort Meade. 

Not long afterward, Bidzos had his lawyer put Zimmermann on 
legal notice that he was infringing on PKP’s patents. This worried 
Zimmermann, and he called Bidzos once again to try to make a deal. 
The basis of the agreement was simple: Zimmermann would not dis- 
tribute his software with the RSA protocols, and Bidzos would not sue 
him. An agreement was indeed drawn up to that effect, and Zimmer- 
mann signed it. But each party had his own interpretation of that 
phone conversation. Bidzos felt that the deal compelled Zimmermann 
actually to kill PGP. Zimmermann insisted that he had only affirmed 
his understanding of a hypothetical agreement: if he stopped distribu- 
tion of PGP, then he would not be sued. Zimmermann would also 
claim Bidzos gave him verbal assurances that RSA would sell licenses 
to PGP’s end-users so they could use the software without infringing 
on RSA’s patents. Bidzos denied those claims. 

It later became clear that Zimmermann’s interpretation of “distrib- 
uting PGP” was somewhat narrow. By leaving the distribution to oth- 
ers, he felt that he was free to continue his involvement with the 
software. In fact, Zimmermann was supervising a second release of 
PGP, this one with the help of some more experienced cryptographers. 

He’d realized that he needed help after a sobering experience at 
Crypto ’91 in Santa Barbara. His main mission had been to get a read- 
ing from the wizards there on the security of PGP. (Admittedly this 
task was overdue, considering that thousands of people were already 
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using the program.) Right away, he ran into Brian Snow, one of the 
top crypto mathematicians at the NSA. Zimmermann, of course, was 
curious as to whether the government was upset about PGR “If I were 
you, I would be more concerned about getting heat from Jim Bidzos 
than from the government,” said Snow. 

This puzzled Zimmermann — why wasn’t the government worried? 
Then he sought private comments on his program. After first getting 
a brush-off from Adi Shamir— the Israeli cryptographer told him 
to send the program to Israel and he’d spend ten minutes with it — 
Zimmermann got the attention of Shamir’s colleague at Weizmann, 
Eli Biham. They retreated to the UCSB cafeteria, scene of many a bull 
session and impromptu cryptanalysis at the annual conference. For 
Zimmermann, it was a long lunch in more ways than one; Biham 
quickly embarrassed the amateur cryptographer by uncovering several 
fatal flaws in Bass-O-Matic. The cipher was, for instance, vulnerable 
to a differential cryptanalysis attack. While not exactly a dead fish, the 
Bass-O-Matic was far from a prize catch. 

Zimmermann now realized that he could only truly improve PGP if 
he were to recognize his own limitations. His ultimate success at code- 
making would come from realizing that he wasn’t really a great cryp- 
tographer. He was a knowledgeable packager and programmer who 
would need ace mathematicians and cryptographers to help him with 
the hard-core details. 

Fortunately, a lot of very smart people had been excited by the 
release of PGP 1 .0. Instead of feeling burned by its weaknesses, they 
were eager to pitch in and fix them. Soon Zimmermann had recruited 
volunteers in New Zealand, Holland, and California to be his mainstay 
engineers. A casual collection of kibitzers also contributed advice 
and small pieces. Together they began work on version 2.0. Zimmer- 
mann was the chief designer, approving every decision, every line of 
the code, but he hid his role so that Bidzos wouldn’t think that he was 
abandoning his promise not to violate RSA’s patents. 

The result was PGP 2.0, an infinitely stronger product. Bass-O-Matic 
had been tossed aside (“Calling it that wasn’t too good an idea, any- 
way,” says Zimmermann. “Cryptography is something you can’t joke 
about”). In its place, Zimmermann chose a preexisting Swiss cipher 
called the International Data Encryption Algorithm, or IDEA. Written 
in 1990 by two celebrated cryptographic mathematicians, IDEA had 


crypto anarchy | 201 


quickly stood up to public scrutiny. Zimmermann felt the IDEA cipher 
was even stronger than DES, particularly with the 128-bit keys he 
recommended. “This is not,” he wrote in the 2.0 documentation, “a 
home-grown algorithm.” 

Another crucial improvement came in an area that Zimmermann 
basically had ignored with PGP 1.0: key certification, the process by 
which public keys are authenticated. Certification is often seen as the 
Achilles’ heel of public key systems. The classic conundrum in such 
systems arises when Alice wants to send something to Bob. She 
scrambles it with Bob’s public key, and only Bob can unscramble it. 
But what if Alice has never met Bob — how does she get his public 
key? If she asks him for it directly, she can’t encode her request (obvi- 
ously not, because she doesn’t have his public key yet, which she 
would use to encrypt the message). So a potential eavesdropper, Eve, 
could act as “a man in the middle,” and snatch that message en route. 
Then Eve, pretending to be Bob, could send her own public key to 
Alice, falsely representing it as Bob’s key. (This deceptive masquerade 
is known as “spoofing.”) If Alice is duped, she’ll encode her secret 
message to Bob with the key. Alas, Bob won’t be able to read anything 
scrambled with that key — only tricky Eve can. So much for the secu- 
rity of direct requests. 

What about the idea of publishing something like a digital phone 
book full of public keys? The forging problem persists, unless you 
have a certifiably secure means of protecting that book and assuring 
that the keys really do belong to their purported owners. Yes, it would 
require an extravagant effort to pull off such a fraud. But it’s possible, 
and as long as the vulnerability exists, any public key system has to 
figure out a way to get around this security hole. 

Many people have come to think that the answer lies in a large-scale 
“certification authority” to distribute and verify public keys. Such 
a center would be able to process millions of public keys. Using the 
certification authority’s own public key — presumably a key so well- 
circulated that no one could spoof it — you could securely query it to 
get someone’s key, or verify a public key someone sent you. Of course, 
such an ambitious solution was impossible for Zimmermann. He 
didn’t have the wherewithal, or money, to set up a closely monitored 
certification authority to distribute and verify public keys. So he had 
to come up with another method. 
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His solution was quite ingenious, especially since it reflected the 
outsider sensibility that generally characterized his efforts. Instead of 
a central key authority, he envisioned the PGP community itself as an 
authority. “PGP allows third parties, mutually trusted friends, to sign 
keys,” explained Zimmermann in a 1993 interview. “That proves that 
they came from who they said they came from.” By “signing” keys, 
Zimmermann was talking about a technique whereby someone in 
effect attached his or her own public key to someone else’s, as a sort 
of stamp of approval. After you generated a public key, you’d get the 
key signed by people who knew you personally. These signings were 
to be performed face-to-face, to minimize the threat of spoofing. So if 
Alice knows Bob personally, she arranges to meet him, and physically 
hands him a disk with her PGP public key. Using his copy of PGP, Bob 
signs it with his own private key. (This is done simply by selecting a 
function in the software program and clicking the mouse.) He gives 
her back the signed key and keeps a copy for his own “public key 
ring,” a collection of signed keys that PGP users are encouraged to 
keep on their hard drives. Later, a third party, Carol, might want to 
communicate with Alice but doesn’t know her. So Carol seeks out 
Alice’s public key, either from her directly or from a bulletin board 
full of public keys. In the latter case, how does she know it’s really 
Alice’s? She checks to see who has signed the key — does it have the 
imprimatur of anyone she knows? Since Carol knows Bob — and has 
earlier received a verified copy of Bob’s public key — she can establish 
the veracity of his signature. If it checks out, that means that Bob has 
really met the person who holds this new key and is implicitly telling 
Carol, “Hey, it’s really Alice.” So Carol can be sure that Alice is who 
she says she is. At least to the degree she trusts Bob. 

This system — known as a “web of trust” — requires some judgment 
on the user’s part. After all, Carol can’t be sure of Alice’s identity 
unless she personally knows someone who has physically met her and 
signed her key. What if she doesn’t know anyone who’s physically 
signed it? Is it worth trusting a second-level verification? Maybe her 
friend Bob hasn’t signed Alice’s key, but he has signed a key of some- 
one named Ted. And Ted has signed Alice’s key. Whether you’ll trust 
that signature depends on Ted’s reputation: who are the people who 
have signed his key? As more and more people used PGP, some were 
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bound to develop a reputation for being scrupulous in verifying the 
keys they sign. Seeing one of those trusted introducers on a key ring 
would be a strong assurance of authenticity. In any case, PGP allowed 
users to set what cryptographer Bruce Schneier refers to as “paranoia 
levels”: how many levels of separation you’re willing to accept, de- 
pending on the degree to which you trust various signers. 

With this web of trust, a stronger encryption algorithm, a better 
interface, and a number of other improvements, PGP 2.0 was — unlike 
Zimmermann’s favorite weekend comedy show — ready for prime 
time. The informal team of programmers had even prepared transla- 
tions of the interface in several languages, so people worldwide could 
use it from the day of release. In September 1992, two of Zimmer- 
mann’s helpers posted PGP 2.0 on the Net from their respective 
homes in Amsterdam and Auckland. This way, the program could be 
imported into the United States, violating no export regulations. In 
almost no time, the new version supplanted and exceeded the first one. 
“I got more mail in the month after the release than I had received the 
whole previous year,” says Zimmermann. “It was like lighting a match 
to dry prairie grass.” 

Jim Bidzos became, if possible, even angrier. He was particularly 
outraged at a contention of Zimmermann’s included in the documen- 
tation that came with every download of PGP. Zimmermann claimed 
that Public Key Partners was ripping off the American public by mak- 
ing people pay for technology developed on the government dime. 
After Zimmermann’s attempts to cover himself with disclaimers (“The 
author of this software implementation of the RSA algorithm is pro- 
viding this ... for educational use only. . . . Licensing this algorithm 
from PKP is the responsibility of you, the user, not Philip Zimmer- 
mann. . . .”), he launched into a long justification of his actions, 
claiming that he didn’t think he was infringing on any patents. He 
implied that by controlling the patents to public key cryptography, Pub- 
lic Key Partners — “essentially a litigation company,” he called it — was 
doing the NSA’s dirty work by denying crypto to the people! Finally, 
while not giving any assurances, he told potential users that they didn’t 
have much to worry about by violating PKP’s patent rights: “There are 
just too many PGP users to go after,” he wrote. “And why would they 
single you out? ” 
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“He’s misleading people, defaming us as a way of getting support 
for his own agenda,” said Bidzos in 1994. “There’s the evil govern- 
ment trying to deny you your right to privacy and the evil patent hold- 
ers bent on ripping you and the government off — it’s not really clear 
who’s worse, but you can put them both off by using this software. He 
knew it was false.” 

Bidzos did have a point: RSA itself had already produced Mailsafe, 
an implementation of the public key patents. Both parties agree that 
during the contentious 1986 dinner meeting, Bidzos gave Zimmer- 
mann a copy of Mailsafe, but Zimmermann claimed he never tested 
the software or read the documentation because he’d already figured 
out how his product would work. “This guy says he was blown away 
by the invention of RSA,” says Bidzos. “We’re supposed to believe that 
he took software written by the people who invented it, his heroes, and 
never was curious enough to look at it?” 

Yet much of Bidzos’s fury was directed not just at Zimmermann’s 
actions but at the runaway popularity of PGR Because it was free, 
available worldwide regardless of export laws, and had quickly 
attained a patina of coolness among the high-tech crowd, its usership 
quickly exceeded that of Mailsafe, and was now threatening to become 
an Internet standard. Despite not being an accomplished cryptogra- 
pher with a Stanford or MIT pedigree, despite having virtually no 
sense of business or marketing, Zimmermann had done what neither 
the original world-class public key mathematicians nor the market - 
savvy Bidzos had succeeded in doing: create a bottom-up crypto phe- 
nomenon that not only won over grassroots users but was being 
described as the major challenge to the multibillion -dollar agency 
behind the Triple Fence. No wonder that by the end of 1992, Phil Zim- 
mermann had gone from total obscurity to the hero of the crypto 
underground. “If I go to Europe, I’ll never have to buy lunch,” he said. 
“I have a huge number of adoring fans.” 


Zimmermann’s do-it-yourself effort to create a crypto program and 
distribute it to the people — an effort consciously undertaken to cir- 
cumvent government control — marked a new dimension in the on- 
going battle between the NSA and the cryptographers who worked 
outside its reach. The agency had once felt that its voluntary pre- 
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publication compromise with academics had mitigated much of the 
potential damage of that community’s emergence. (And with the 
troublesome First Amendment in play, there was little choice in the 
matter.) Fort Meade’s minions were also fending off the commer- 
cial threat to its dominance by budging only slightly on the export 
situation. 

But it was getting harder to convince people that it made sense to 
control cryptography. It was becoming increasingly clear that this was 
not a weapons technology but one that might fit in as a common arti- 
fact of everyday life. All those millions who used Lotus Notes were 
already aware of its benefits. Those with garden variety e-mail were 
shocked to find that basic protections just weren’t there — sending 
mail on the Internet seemed secure but was actually one step removed 
from broadcasting. And as more people began using cellular phones, 
for instance, they wondered why it was that their calls could be so 
easily monitored by any wirehead who plunked down a hundred dol- 
lars for a scanner. Even the Prince of Wales had his cell calls to his 
mistress intercepted, with the whole world now chuckling at endear- 
ments he uttered to her, endearments that were intensely personal 
(OK, they involved menstruation supplies). In a world of highly 
evolved communications, why shouldn’t everything be protected? 
Even the National Football League figured this out: it used crypto to 
encode the radio signals sent from coaches in the observation booth to 
quarterbacks on the field. This was something anyone could under- 
stand. Here was something as straightforward as a means to prevent 
the Green Bay Packers from stealing the next play from John Elway . . . 
and we called this national security ? 

These were tough questions for a branch of government not used to 
answering any questions at all. But the questioning was about to 
become more intense as a new force, in part inspired by Zimmermann, 
now came into play: cryptoactivism. Strong cryptography distributed 
on the Internet — and a revolutionary movement built around produc- 
ing and distributing strong codes — seemed on its face a fringe activity. 
But with the crypto controversy heating up, it turned out that the time 
was ripe for a small movement to apply leverage. 

So it seemed to two crypto enthusiasts who hatched an idea for a 
group that would be outside even the outsiders in the battle for cryp- 
tography. The concept developed spontaneously when Eric Hughes, a 
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young mathematician living in the north Bay Area and thinking of 
moving down the California coast, visited his friend Tim May in Santa 
Cruz to do some house hunting. 

Hughes and May were an interesting combination, bound by scien- 
tific passion, political libertarianism, and a slightly unnerving para- 
noia. (Hughes liked to joke about this, citing an unknown philosopher 
who supposedly said, “Cryptography is the mathematical consequence 
of paranoid assumptions.”) Both cut striking figures, eschewing a 
math-nerd look for the frontier garb of the Old West: crypto cowboys. 
Hughes was often seen in a felt Stetson. 

At forty, May was a physicist who had retired from Intel seven 
years earlier with a bundle of stocks. His major contribution at the 
semiconductor giant had been his proof that quantum events — the 
meanderings of subatomic particles — could affect the calculations 
performed by semiconductor chips. May’s discovery allowed Intel’s 
designers to devise strategies to deal with this problem, enabling the 
steady progress of Moore’s Law. Outside of technology, May was an 
advocate of libertarianism, as opposed to government restrictions. 
“I got converted by reading Ayn Rand as a kid,” he says. “I would 
write polemics about natural rights in class.” As an adult he posted 
such polemics — intentionally provocative and highly entertaining 
rants — to Usenet groups, and his hard-core advocacy of unbridled 
cryptography had earned him an edgy reputation. A slim, bearded man 
who often wore an outback hat, he owned a small house cluttered with 
books, gadgets, and well-fed cats. 

A semilapsed Mormon from Virginia, Eric Hughes had a long, 
wispy light-brown beard, aviator wire-rimmed glasses, and a cold, sar- 
castic wit. Not yet thirty, he was brimming with attitude. But his cocky 
sureness was tempered with a steady intelligence that enabled him 
to understand both sides of an issue. He loved cryptography. He’d 
studied math at Berkeley, and worked for a company overseas for a 
while. Now, at the dawn of the Internet, he was figuring out how he 
could use codes to fortify the information age. His ultimate goal was 
combining pure-market capitalism and freedom fighting. In his world 
view, governments — even allegedly benign ones like the United 
States — were a constant threat to the well-being of citizens. Indi- 
vidual privacy was a citadel constantly under attack by the state. The 
great miracle was that the state could be thwarted by algorithms. 
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“It used to be that you could get privacy by going to the physical fron- 
tier, where no one would bother you,” he said. “With the right appli- 
cation of cryptography, you can again move out to the frontier — 
permanently.” 

As radical as Hughes’s vision was, it paled in comparison to that of 
his Santa Cruz friend. When Tim May thought about crypto it was 
almost like dropping acid. In the computer age, we create “virtual 
regions,” he would say. And the conduits and pipes of the future, the 
very mortar and walls of those virtual spaces, could be held up by 
nothing but crypto. Oh, God, May would burst out when speaking of 
this vision, it’s so profound. There’s nothing else! One-way functions 
like the ones exploited by Diffie, Merkle, and Rivest were the building 
blocks of cyberspace, he insisted, and if we don’t use them we would 
be reduced to pathetic shivering creatures standing in the ashes of a 
virtual burned-out house. But with it, everything is imaginable. Secure 
conduits — untappable by the NSA! — from hackers in Los Gatos, Cali- 
fornia, to activists in St. Petersburg, Russia. Transactions beyond taxa- 
tion. And an end to the nation-states. That was the coming revolution, 
according to Tim May. 

Such were the topics discussed in May 1992 during Eric Hughes’s 
house-hunting visit to Tim May. There was so much to talk about that 
the conversation lasted for three days. “We’d get up in the morning 
and just keep chatting and chatting and I wouldn’t get anything done 
about looking for a house,” says Hughes. “And we’d go out to lunch 
and come back and keep going. It just went on and on.” By the end of 
the visit — not surprisingly, Hughes had made no progress in finding a 
house and went back to his shared crashpad in Berkeley — they agreed 
to organize a loose confederation of those with similar views. Not to 
sit around and bullshit, but to actually produce, a la Zimmermann, the 
tools that would arm the general public against cyberthieves, credit 
bureaus, and especially the government. 

In the next few weeks, they enlisted the aid of some influential fig- 
ures in the antigovernment crypto community. One forceful ally was 
thirty-seven-year-old John Gilmore, a gentle computer hacker with 
long thinning hair and a wispy beard (when he stood beside Eric 
Hughes, the two of them looked like a geeky version of the cough- 
drop-icon Smith Brothers). Gilmore had made a small fortune from 
being one of the original programmers at Sun Microsystems — he had 
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been employee number five — but left in 1986. In 1990, along with 
Mitch Kapor and Grateful Dead lyricist John Perry Barlow, he’d 
founded the Electronic Frontier Foundation (EFF) to enforce civil lib- 
erties in the digital age, and had just started a new company called 
Cygnus Support, devoted to aiding users of free software. His hobby- 
horse was personal privacy. At a 1991 conference called “Computers, 
Freedom, and Privacy,” he delivered a speech that anticipated the 
thoughts of Mays and Hughes — a people’s crypto movement to stave 
off the government. 

What if we could build a society where the information was 
never collected? Where you could pay to rent a video with- 
out leaving a credit card or bank account number? Where 
you could prove you’re certified to drive without giving 
your name? Where you could send and receive messages 
without revealing your physical location, like an electronic 
post office box? That’s the kind of society I want to build. 

I want to guarantee — with physics and mathematics, not 
with laws — things like real privacy of personal communica- 
tions . . . real privacy of personal records . . . real freedom 
of trade . . . real financial privacy . . . [and] real control of 
identification. 

Gilmore was particularly interested in making sure that information 
about crypto found its way into the public domain. (He had been the 
one who had used the Internet to circulate Ralph Merkle’s fast- 
encryption paper after the NSA had asked Xerox not to publish it.) 
More recently, he had been trying to liberate four early cryptanalysis 
textbooks by the NSA’s legendary wizard William Friedman, filing 
Freedom of Information (FOI) requests to have the thirty-year-old 
works declassified. He even hired a Berkeley lawyer to help him nego- 
tiate the complicated process and file suit when government agencies 
did not respond within the specified legal time period. 

Not long after demanding the Friedman texts, Gilmore began an 
extensive bibliographic search for them on the Internet, using “know- 
bots,” which were automated intelligent search programs. The bots 
indicated that copies of two Friedman codebreaking works were pub- 
licly accessible, one in the Virginia Military Institute library, the other 
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on microfilm at Boston University. Apparently at one time the govern- 
ment had lifted the restrictions on them, but in the Reagan era they 
had once again been classified. Gilmore immediately got friends to 
send him copies and notified the judge hearing his FOl appeal that the 
texts were on public library shelves. The government responded by 
notifying Gilmore that any further distribution of the Friedman texts 
would violate the Espionage Act, which mandated a possible ten-year 
sentence for violations. In other words, Gilmore could be sent to 
Leavenworth for a decade, just for taking a book out of the library and 
sharing it with friends. Gilmore not only notified the judge that his 
First Amendment rights were being violated, but told his story to a 
local reporter. 

Two days later, the government backed down, formally declassify- 
ing the two texts. But Gilmore persisted in asking for the other works, 
and requested that the judge declare the Espionage Act itself an 
unconstitutional suppression of free speech. When a reporter asked 
him if his stance might not weaken national security, he was unre- 
pentant. “We are not asking to threaten national security,” he said. 
“We’re asking to discard a Cold War bureaucratic idea of national 
security which is obsolete. They’re abridging the freedom and privacy 
of all citizens, to defend us against a bogeyman that they will not 
explain.” 

Working with Gilmore (only later did Whitfield Diffie agree to par- 
ticipate as a sort of eminence grise), Hughes and May began plan- 
ning a physical meeting of the proposed movement. Hughes was then 
calling the group CASI, or Cryptology Amateurs for Social Irrespon- 
sibility. Hughes and May prepared all summer, setting the invitation - 
only event for September 19, 1992, at Hughes’s house in Berkeley. 
Because the nature of the enterprise involved an implicit attack on the 
government’s most powerful spy agency, it was decided that discretion 
should be the watchword. 

The meeting exceeded everyone’s expectations. Unlike the Birken- 
stocked academics and rubber-necking spooks who met at the Crypto 
conferences, the twenty or so in attendance were people who saw 
cryptography totally outside the context of their own careers (if indeed 
they had one, as some did not). Their main concern was how people 
would and should use crypto tools. Their politics were heavily liber- 
tarian; more than a few were also self-proclaimed Extropians, whose 
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philosophy merged an extremist view of individual liberties with a 
loopy belief that the far fringes of scientific research would soon 
accrue to our benefit. (Topics that made Extropians giddy included 
nanotechnology, cyborgs, and cryogenics; some Extropians had signed 
up to have their heads posthumously frozen, to be thawed and revived 
in some distant century.) 

But it would be a mistake to misjudge this group by their peccadil- 
loes or by the modest turnout at this first meeting. In fact, they would 
wind up becoming so influential that their grandiose fantasies would 
be vindicated. Profane, cranky, and totally in tune with the digital hip- 
hop of Internet rhythm, they were cryptographers with an attitude. If 
the government hadn’t enough to worry about with industry, privacy 
advocates, and reform-minded policy wonks urging liberalization of 
encryption, the emergence of crypto rebels as popular culture heroes 
was a tipping point, an unexpected sign that the code wars had gone 
someplace new. The code rebels had arrived, brandishing a powerful 
intellectual weapon: crypto anarchy. 

For this first meeting, Tim May had produced a fifty-seven-page 
handout, along with an elaborate agenda including discussion of “soci- 
etal implications of cryptography,” “voting networks,” and “anony- 
mous information markets.” There were reports on digital money in 
virtual realities and John Gilmore’s assessment of the NSA. And there 
was time set aside, of course, for the “reading of manifestos.” Tim May 
had one prepared especially for the meeting, which he called the Crypto 
Anarchist Manifesto. It ended on a stirring note: 

Just as the technology of printing altered and reduced the 
power of medieval guilds and the social power structure, so 
too will cryptologic methods fundamentally alter the nature 
of corporations and of government interference in eco- 
nomic transactions. Combined with emerging information 
markets, crypto anarchy will create a liquid market for any 
and all material which can be put into words and pictures. 

And just as a seemingly minor invention like barbed wire 
made possible the fencing-off of vast ranches and farms, 
thus altering the concepts of land and property rights in the 
frontier West, so too will the seemingly minor discovery out 
of an arcane branch of mathematics come to be the wire 
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clippers which dismantle the barbed wire around intellec- 
tual property. 

Arise, world; you have nothing to lose but your barbed - 
wire fences! 

For a couple of hours, people were invited to play “the Crypto Anar- 
chy game,” a role-playing exercise in which people imagined using 
exotic crypto protocols to keep surveillants in the dark about their 
activities, such as passing secrets or doing drug deals. Since PGP 2.0 
had been released only days before — and most in attendance were 
huge fans of the first version — much of the meeting was spent dis- 
cussing Phil Zimmermann’s latest effort, and copies were distributed 
to all in the room. (Zimmermann himself was still in Boulder.) The 
event turned into a key- swapping party, as everyone exchanged PGP 
public keys and signed one another’s key ring. PGP, after all, was the 
embodiment of the group’s belief that cryptography was too important 
to be left to governments or even well-meaning companies. Only dedi- 
cated individuals, willing to suffer the consequences of government 
sanction, could assure that the tools got circulated into the Internet’s 
bloodstream. After that, John Gilmore said, “It would take a pretty 
strong police state to suppress this technology.” 

One unexpected highlight was an observation made by Hughes’s 
companion, a leather -clad writer who penned articles for the digital 
hippie magazine Mondo 2000 under the name St. Jude. Listening 
to the visions of overturning society with modular arithmetic, she 
made the connection with the recent rise of so-called cyberpunks — 
hackers turned hipsters by linking the in-your-face iconoclasm of 
punk-rock rebels with the digital revolution. “Hey,” she called out, 
“you guys are cypherpunksl” They all loved the name. 

The newly dubbed group was eager to meet again in a month. In the 
meantime, Eric Hughes set up what would be a much more robust and 
fertile cypherpunk gathering place: the Internet. Using John Gilmore’s 
server (its Internet domain name was toad.com) as a cyberspace hub, 
Hughes set up what was known as a list-serv, an ongoing mega- 
discussion where anyone who signed up for the list would receive, 
unfiltered, the e-mail contributions of any other member who cared 
to report news, critique a cryptosystem, or unleash a rant. Within a 
few weeks, over 100 people would sign on to the list, an impressive 
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number considering the mind-numbing volume of messages passed — 
often well over 1 50 a day. 

After that first meeting, Eric Hughes drafted what he called “a small 
statement of purpose” to explain what the group was about. This 
“cypherpunk manifesto” envisioned a home-brewed privacy structure 
that the government couldn’t crack: 

Cypherpunks write code. They know that someone has to 
write to defend privacy, and since it’s their privacy, they’re 
going to write it. Cypherpunks publish their code so that 
their fellow cypherpunks may practice and play with it. 
Cypherpunks realize that security is not built in a day and 
are patient with incremental progress. 

Cypherpunks don’t care if you don’t like the software they 
write. Cypherpunks know that software can’t be destroyed. 
Cypherpunks know that a widely dispersed system can’t be 
shut down. 

Cypherpunks will make the networks safe for privacy. 

A couple of days afterward, Hughes revealed the details of the second 
meeting, to be held on October 10 at Cygnus’s new office in Mountain 
View. “Attendance is transitive trust, arbitrarily deep,” he wrote. “Invite 
who[m]ever you want. . . . Do not, however, post the announcement. 
Time for that will come.” 

As indeed it would. By the following year, the list had expanded to 
more than 700 participants. The group’s original reluctance to ban 
journalists from its meetings — an ironic stance for people so enthusi- 
astic about the spread of information in the Internet age — faded. 
Soon, cypherpunk lore would be a staple in publications ranging from 
Wired magazine to the New York Times. (Their faces, hidden by masks 
with scrawled PGP public key “fingerprints” on them, adorned 
Wired’s second issue.) The face of crypto had taken on a veneer of 
hipness. 


Crypto anarchy was a fascinating concept, infecting not only the 
media but the well-ordered domains of corporations and government 
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as well. Even Donn Parker, a well-known security expert who had pre- 
viously specialized in assessments of computer crackers, was now 
weighing in on the danger of the “coming state of information anar- 
chy if crypto is allowed to proliferate unchecked in its present form.” 
(Parker recommended strong crypto, but with master keys in the hands 
of government — as it turned out, something that the government was 
already considering.) 

But even as the crypto rebels were becoming media darlings, gov- 
ernment threats, and civil liberties heroes, few were aware that the 
mathematical and philosophical basis of their efforts had come from a 
single man, arguably the ultimate cypherpunk. He never attended a 
meeting, didn’t post to the list, and in fact had bitter running feuds 
with some of the people on it. Nonetheless, his ideas — and the patents 
he held on their implementations — were discussed with awe and fear 
both in the corporate and intelligence world. The creator himself was 
one of the most frustrating enigmas in the field, harder to crack than 
triple DES. 

This was David Chaum. 

Chaum, a bearded, ponytailed, Birkenstocked cryptographer and 
businessman, was the former Berkeley graduate student who had, on 
his own initiative, sustained the Santa Barbara Crypto conferences 
and organized the International Association for Cryptologic Research. 
But his legacy in the crypto world went far beyond that: for a number 
of years he was the privacy revolution’s Don Quixote, idealistically 
pursuing crypto liberation from Big Brother. While at Berkeley in the 
late 1970 s, he began building on the foundation of public key to cre- 
ate protocols for a world where people could perform any number 
of electronic functions while preserving their anonymity. If the use 
of public key is akin to magic, and if elaborations like secret sharing 
and zero -knowledge proofs are viewed as powerful examples of that 
magic, then David Chaum was the Houdini of crypto, inventor of 
mathematical tools that could deliver the impossible: all the benefits of 
the electronic world without the drawbacks of an electronic path that 
could lead crooks, corporations, and cops to one’s doorstep. Magic, 
some believed, that potentially could make the entire concept of state- 
hood disappear. 

From a very early age, David Chaum had an interest in the hard- 
ware of privacy. “I think what’s important to realize is that there is a 
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strong driving force for me,” he says. “My interest in computer secu- 
rity initially, and encryption later on, came because of my fascination 
with security technologies in general — things like locks and burglar 
alarms and safes.” (At one point, as a graduate student, he even 
devised a new design for a lock and came close to selling it to a major 
manufacturer.) And, of course, he was completely fascinated by com- 
puters. Chaum was raised in suburban Los Angeles in a middle-class 
Jewish family (his birthdate is uncertain because of a characteristic 
refusal to divulge such specific identifying details) . In high school and 
college — he began attending UCLA before graduating from high 
school, then enrolled at Sonoma State to be near a girlfriend, and 
finally finished up at UC San Diego — he did some garden variety 
computer pranking: password cracking, trash-can scrounging, and 
such. In math classes he hung out with a bunch of fellow malcontents: 
they would sit in the back of the class and every so often, when the 
teacher made an error, they would chime in with a counterproof. (Not 
exactly The Blackboard Jungle, but these were computer nerds.) He 
was also picking up a serious background in mathematics. And late in 
his college career, he came to cryptography, a discovery that in retro- 
spect seems inevitable. 

He had already been thinking about the means of protecting com- 
puter information, but his first serious thoughts on the subject were 
revealed in an English class paper. The politically radical young 
woman teaching the course had urged the students to write about 
what interested them passionately. Chaum wrote about encryption. 

He chose Berkeley for graduate work, largely because of its asso- 
ciation with the new paradigm of public key cryptography. He knew 
that Lance Hoffman, who taught there, had been Ralph Merkle’s 
teacher. He was unaware that Hoffman had rejected Merkle’s ideas 
out of hand. Still, he made good contacts at the school — he even met 
Whit Diffie, who was living in Berkeley then — and got the support he 
needed to begin his own work. Chaum’s first papers, published in 
1979, are indicative of the focus his work would take: devising cryp- 
tographic means of assuring privacy. His ideas built upon the concept 
of public key, particularly the authentication properties of digital sig- 
natures. “I got interested in those particular techniques because I 
wanted to make [anonymous] voting protocols,” he says. “Then I 
realized that you could use them more generally as sort of untraceable 
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communication protocols.” The trail led to anonymous, untrace- 
able digital cash. 

For Chaum, politics and technology reinforced each other. He 
believed that as far as privacy was concerned, society stood at a cross- 
roads. Proceeding in our current direction, we would arrive at a place 
where Orwell’s worst prophecies were fulfilled. He delineated the 
problem in a paper called “Numbers Can Be a Better Form of Cash 
Than Paper”: 

We are fast approaching a moment of crucial and perhaps 
irreversible decision, not merely between two kinds of tech- 
nological systems, but between two kinds of society. Cur- 
rent developments in applying technology are rendering 
hollow both the remaining safeguards on privacy and the 
right to access and correct personal data. If these develop- 
ments continue, their enormous surveillance potential will 
leave individual’s lives vulnerable to an unprecedented con- 
centration of scrutiny and authority. 

In the early 1980s, David Chaum conducted a quest for the seem- 
ingly impossible answer to a problem that many people didn’t consider 
a problem in the first place: how can the domain of electronic life be 
extended without further compromising our privacy? Or — even more 
daring — can we do this by actually increasing privacy? In the process 
he figured out how cryptography could produce an electronic version 
of the dollar bill. 

In order to appreciate this, one must consider the obstacles to 
such a task. The most immediate concern of anyone attempting to 
produce a digital form of currency is counterfeiting. As anyone who 
has copied a program from a floppy disk to a hard drive knows, it is 
totally trivial to produce an exact copy of anything in the digital me- 
dium. What’s to stop Eve from taking her one Digi-Buck and making 
a million, or a billion copies? If she can do this, her laptop, and every 
other computer, becomes a mint, and an infinite hyperinflation makes 
this form of currency worthless. 

Chaum’ s way of overcoming that problem was the use of digital sig- 
natures to verify the authenticity of bills. Only one serial number 
would be assigned to a given “bill” — the number itself would be the 
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bill — and when the unique number was presented to a merchant or a 
bank, it could be scanned to see if the virtual bill was authentic and 
had not been previously spent. This would be fairly easy to do if every 
electronic unit of currency was traced through the system at every 
point, but that process could also track the way people spent their 
money, down to the last penny. Exactly the kind of surveillance night- 
mare that gave Chaum the chills. How could you do this and uncon- 
ditionally protect one’s anonymity? 

Chaum began his solution by coming up with something called a 
“blind signature.” This is a process by which a bank, or any other 
authorizing agency, can authenticate a number so that it can act as 
a unit of currency. Yet, using Chaum’s mathematics, the bank itself 
does not know who has the bill, and therefore cannot trace it. This 
way, when the bank issues you a stream of numbers designed to 
be accepted as cash, you have a way of changing the numbers (to 
make sure the money can’t be traced) while maintaining the bank’s 
imprimatur. 

One of Chaum’s most dramatic breakthroughs occurred when he 
managed to come up with a mathematical proof that this sort of ano- 
nymity could be provided unconditionally. The Eureka Moment came 
as he was driving his Volkswagen van from Berkeley to his home in 
Santa Barbara, where he taught computer science in the early eight- 
ies. “I was just turning this idea over and over in my head, and I went 
through all kinds of solutions. I kept riding through it, and finally by 
the time I got there I knew exactly how to do it in an elegant way.” 

He presented his theory with a vivid example: a scenario of three 
cryptographers finishing their meal at a restaurant and awaiting the 
check. The waiter appears. Your dinner, he tells the dining cryptogra- 
phers, has been prepaid. The question is, by whom? Has one of the 
diners decided anonymously to treat his colleagues — or has the NSA 
or someone else paid for the meal? The dilemma was whether this 
information could be gleaned without compromising the anonymity of 
the cryptographer who might have paid for the dinner. 

The answer to the “Dining Cryptographers” problem was surpris- 
ingly simple, involving coin tosses hidden from certain parties. For 
instance, Alice and Bob would flip a quarter behind a menu so Ted 
couldn’t see it — and then each would privately write down the result 
and pass it to him. The key stipulation would be that if one of them 
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was the benefactor who paid for the meal, that person would write 
down the opposite result of the coin toss. Thus if Ted received con- 
tradictory reports of the coin toss — one heads, one tails — he would 
know that one of his fellow diners paid for the meal. But without fur- 
ther collusion, he would have no way of knowing if it was Alice or Bob 
who paid. By a series of coin tosses and passed messages, any num- 
ber of diners — in what would be called a DC -Net — could play this 
game. The idea could be scaled to a currency system. 

“It was really important, because it meant that untraceability could 
be unconditional,” he says — meaning mathematically bulletproof. “It 
doesn’t matter how much computer power the NSA has to break 
codes — they can’t figure it out, and you can prove that.” 

Chaum’s subsequent work — as well as the patents he successfully 
applied for — built upon those ideas, addressing problems like prevent- 
ing double -spending while preserving anonymity. In a particularly 
clever mathematical twist, he came up with a scheme whereby one’s 
anonymity would always be preserved, with a single exception: if 
someone attempted to double-spend a unit that he or she had already 
spent somewhere else, at that point the second bit of information 
would allow a trace to be revealed. In other words, only cheaters 
would be identified — indeed, they would be providing evidence to law 
enforcement of their attempt to commit fraud. 

This was exciting work, but Chaum received very little encourage- 
ment for pursuing it. “For many years it was very difficult for me to 
have to work on this sort of subject within the field, because people 
were not at all receptive to it,” Chaum says. For a period of several 
years in the early 1980s, Chaum attempted to make personal connec- 
tions with the leading lights in privacy policy and share his ideas with 
them. 

“The uniform reaction was negative,” he says. “And I couldn’t 
understand this. It made it all the harder for me to keep pushing on 
this, because my academic advisors were saying, ‘Oh, that’s political, 
that’s social — you’re out of line.’ ” Even his advisor at Berkeley tried 
to dissuade him. “Don’t work on this, because you can never tell the 
effects of a new idea on society,” he told his stubborn student. Instead 
of heeding the warning, Chaum dedicated his dissertation to him, say- 
ing it was the rejection of the advisor’s thinking that motivated him to 
finish the work. 
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Eventually, Chaum decided that the best way to spread his ideas 
would be to start his own company. By then he was living in Amster- 
dam; on an earlier visit with his Dutch girlfriend, he had fortuitously 
met up with some academics who offered him a post, which in turn 
led to an appointment at CWI, the Centre for Mathematics and Com- 
puter Science in Amsterdam. So, in 1990, he founded Digicash, with 
his own meager capital and a contract in hand from the Dutch gov- 
ernment for a feasibility study of technology that would allow elec- 
tronic toll payments on highways. Chaum developed a prototype by 
which smart cards holding a certain amount of verified cash value 
could be affixed to a windshield and high-speed scanning devices 
would subtract the tolls as the cars whizzed by. One could also use the 
cards to pay for public transportation and eventually for other items. 
Of course, the payments would be anonymous. To Chaum this was the 
most important part of the system: his fear was that a scheme that 
allowed officials to retrace the routes of citizens would be an Orwellian 
atrocity. (Systems eventually implemented in the United States, like 
the popular E-ZPass system, actually do track travelers.) 

After completing that contract (the system was never implemented), 
Chaum kept his company active in smart-card applications; some of 
the projects focused on cash systems that would be used in a building 
or complex of buildings. He had a working example of it at Digicash 
headquarters on the outskirts of Amsterdam; visitors could sample the 
future by using anonymous cash cards to buy sodas and make phone 
calls. 

But in the early 1990s, even as the world came around to the sig- 
nificance of the ideas Chaum had hatched in isolation — firms 
ranging from Microsoft to Citibank were pursuing digital cash 
projects — the company’s operations remained relatively small scale. 
Digicash remained independent, without a close alliance with a large 
partner in banking or financial services. Chaum felt that in time these 
partners, at the least licensees who used Digicash technology, would 
emerge. They had to. It was now the conventional wisdom that paper 
money would be replaced by crypto -protected digits. When that hap- 
pened, his paradigm would become a crucial factor in maintaining pri- 
vacy in the age of e- money. This was an idea Chaum believed was 
worth holding out for. 

Some people interpreted this as stubbornness, or, at least, poor 


crypto anarchy | 219 


business practice. “People wanted to buy David’s patents but he asked 
for too much — he wanted control,” says a former Digicash employee. 
Another tale making the rounds was that Chaum made a last-minute 
veto of a deal with Visa that would have made Digicash the standard 
for electronic money. A Digicash executive would later tell a reporter 
of similar blowups with other firms, including Microsoft. But Chaum 
furiously resisted the theory that his personality quirks and actions 
scotched realistic deals. When a reporter interviewed him about the 
subject, Chaum lashed out at the “malicious slander that it’s hard to 
do deals with me.” Still, frustrated by not being able to get Chaum’s 
patents, some companies began devising their own schemes for ano- 
nymity, which may or may not have infringed on his patents. 

Some cypherpunks felt that Chaum had taken the improper ideo- 
logical approach by applying for patents on his work. (These idealists 
didn’t like RSA’s patents, either.) They complained that by withholding 
the technology from anyone who wanted to implement it — and threat- 
ening to sue anyone who tested the breadth of these patents — he was 
actually preventing his dream from being realized. This criticism 
enraged Chaum. “I really believe it’s sort of my mission to do this, 
because I have this vision that stuff like this might be possible, and I 
really felt it was my responsibility to do it,” he would say. “No one was 
working on this for a good half-dozen years while I was busily work- 
ing on it and they all thought I was nuts. The patents are really help- 
ful to our little company; we couldn’t license, really, without the 
patents, and the whole purpose of them from my point of view is to 
get this stuff out there.” 

It was an article of faith among cypherpunks that protocols for 
anonymity would indeed flourish. This was not a foregone conclu- 
sion. Many tried to make their own schemes, with names like Magic 
Money. Meanwhile, Citibank and Visa were exploring digital cash on 
their own. And a well-funded new company called Cybercash was 
being formed outside of D.C.; one of its investors was RSA Data Secu- 
rity. The cypherpunks wanted to know whether this new form of 
money would provide an electronic trail to the user. They hoped not. 
The c-punk list was full of scenarios in which the Internet provided 
“data havens” outside the United States, places beyond the purview of 
the industrialized nations where people could bank funds or even 
gamble with digital cash. When some cypherpunks helped organize 
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the first conference on financial cryptography, its location was a fore- 
gone conclusion: Anguilla, a small Caribbean island whose transac- 
tions laws were, to say the least, liberal. 

One of Chaum’s ideas, adopted wholeheartedly by cypherpunks, 
was the emergence of services called “remailers.” These were sort of 
cyberspace information launderers . . . outposts on the information 
highway, independently maintained by cypherpunk activists, who 
stripped any identifying marks from a message, then passed it on 
either to its final destination or to another remailer, for another round 
of data scrubbing. Your message goes into the remailer (also known 
as an anonymous server) with a return address — and gets forwarded 
without one. 

Just sending your anonymous message to a single remailer, though, 
was regarded as insufficient protection. Indeed, it imbued the person 
running the server with too much power. If he or she turned out to be 
untrustworthy, or got hacked, or was served with a subpoena, it would 
be all too easy for outsiders to get hold of one’s return address. It was 
the same problem that Whit Diffie originally complained about with 
network administrators and passwords. The cypherpunks thought 
they had the solution to this problem: they helped seed a loose con- 
federation of remailers around the globe. In order to get real protec- 
tion, you had to direct your messages through a series, or “string,” 
or “chain,” of remailers. Each remailing service would strip the return 
address; only the first one would have the original address. A cop or a 
spy trying to trace a message would then have to get the records (if they 
still existed, which they generally didn’t) of ten or twelve or twenty 
remailers in order to retrace the steps. So if the authorities couldn’t 
get the records from some remailer nerd in Tonga, they’d never find 
the original. (Some paranoid users — or, more likely, cypherpunks air- 
ing out their software — went through as many as a hundred remailers 
on their string; since there weren’t that many anonymity servers in the 
world, this required multiple visits.) 

To be really sure your anonymity was protected, you’d use PGP to 
encrypt the whole shebang with the public key of the final remailer on 
the chain. That way no remailer until the final one would be able to 
read the message, which by then would have its origins well buried. 
Want more security? Encrypt that final message in another envelope of 
PGP encryption, this one scrambled with the public key of the pen- 
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ultimate remailer on the chain. That would provide a double layer of 
encryption. And so on and so on, envelopes within envelopes, until 
privacy was fully assured. If at any point along the way, someone 
attempted to read the message, they’d get gibberish, “like getting a 
tape of microphone hiss,” gloated Eric Hughes. 

With cypherpunk encouragement — the first remailer was set up by 
Hughes himself, on the Berkeley server — about twenty remailers were 
up and humming by 1993. Of all the barn-building efforts of those on 
the list, creating an easier way to utilize remailer chains was the most 
intense. It didn’t seem to bother the cypherpunks that those using the 
nascent system weren’t doing much to improve society. Most of the 
messages sent through remailers were postings to Usenet discussion 
groups on the Internet; sadly, these were generally harassing attacks on 
people or simply idiotic flames. Instead of enriching cyberspace con- 
versations, these unsigned stink bombs degraded it. You’d have sophis- 
ticated on-line colloquies about technical issues or personal matters, 
and some moron would chime in with foul-mouthed insults — and the 
serious participants in the discussion would be frustrated because 
there’d be no way of applying sanctions to the conversational vandal 
who disrupted things. On the other hand, in some groups — notably 
those encouraging contributions from whistle-blowers or victims of 
sex crimes — otherwise reluctant message posters discovered a mea- 
sure of security in having their messages attributed to alternate, 
untraceable identities known as “nyms.” It wasn’t unusual in such 
groups to see a lot of mail from clearly cloaked correspondents at sites 
like “bogus@no.return.address.” 

The hardest part of running a remailer, it turned out, was not tech- 
nical. Cypherpunk scripts made the process fairly easy for the techni- 
cally competent noncryptographer to set up an anon server. The tough 
part was standing up to the social and legal pressures that would come 
when outraged targets of hate mail and pranks would demand that the 
anonymous traffic cease. A typical case was a cypherpunk at the Uni- 
versity of Washington who wanted to use the school’s computer sys- 
tem as a remailer. For a few months things went fine, “which wasn’t 
bad when you consider that it was based on a student account with a 
Nazi-like administration,” wrote the operator. “The death blow was a 
target [of e-mail attacks] complaining to me about someone sending 
unsolicited mail to them through my remailer.” The plea to stop such 
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mail went to the system “postmaster,” the person in charge of the uni- 
versity’s e-mail system. Of course, the postmaster didn’t know any- 
thing about such a service being operated on the school’s computer, 
and “when he looked into it, he was quite surprised.” End of remailer. 

More successful was the case of Julf Helsingius, a Finnish com- 
puter consultant who began a remailer in his home outside Helsinki in 
1993. He wanted to provide cover to people posting in a Usenet group 
concerning alcoholic recovery. He set up “Penet” (a variation on his 
company’s name, Pennitech) on a small UNIX machine running on a 
modest Intel 386 chip, and opened for business, relying solely on word 
of mouth for users. Soon thousands of people were sending messages 
through the machine, which would forward the messages to their des- 
tinations without the identifying header. The traffic got so intense that 
Julf had to install a high-speed Internet pipe in his home, which cost 
him a thousand dollars a month. Sometimes, users would write to Julf 
and ask him why he did it. The answer was complicated; Julf was part 
of the Swedish-speaking minority in Finland and had always felt 
strongly about the ability of minorities to speak up. In another sense 
though, he considered it a hobby. “Some people spend similar money 
on golf or whatever,” he would say. When people complained that he 
was allowing creeps and perverts to express themselves, he had a reply 
for that too: 

I can only answer that I believe very firmly that it’s not for 
me to dictate how other people ought to behave. But re- 
member, anonymous postings are a privilege, and use them 
accordingly. I believe adult human beings can behave re- 
sponsibly. Please don’t let me down. 

No matter what the result, the cypherpunk remailer effort gener- 
ated a vital dialogue on the issue of anonymity in a digital society. One 
important cypherpunk text was Ender’s Game, a science fiction novel 
by Orson Scott Card. Part of the plot hinged on an influential public 
debate between two unknown philosophers who took advantage of 
remailer-type technology to post treatises under the fictional nyms of 
Demosthenes and Locke. Since the ideas were subversive, it was 
absolutely necessary to keep their real identities secret; nonetheless, 
the force of their arguments changed the course of society in the 
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novel. Another good reason to hide the real people behind these ideas 
was that the writers were children, a brother and sister who were, 
respectively, twelve and ten years old. “It’s not my fault I’m twelve 
right now,” the young man explained to his sister. “The world is 
always a democracy in times of flux, and the man with the best voice 
will win.” 

But it was not only science fiction that valued anonymity. The prac- 
tice was crucial in the formation of the United States itself, and was 
arguably as American as apple pie. As cypher punk historians loved to 
point out, the model for the Ender’s Game debate may have been the 
Federalist Papers, with parts written by James Madison, John Jay, and 
Alexander Hamilton but published under the pseudonym Publius. And 
when Thomas Paine wrote Common Sense, he originally signed it “An 
Englishman.” As the Supreme Court would note, “Anonymous pam- 
phlets, leaflets, brochures, and even books have played an important 
role in the progress of mankind,” a role the court has sustained in con- 
sistent rulings. In 1995, it would reaffirm the constitutionality of the 
concept once more, using the words of John Stuart Mill to hail ano- 
nymity as “a shield from the tyranny of the majority.” Who could 
blame cypherpunks for producing the cryptographic tools to preserve 
a writer’s ability to continue this vital tradition? 

Plenty of people, as it turned out. Critics — among them FBI direc- 
tor Louis Freeh — would contend that when anonymity hit the Inter- 
net, it did not merely find a familiar niche in a new medium; it was 
amplified beyond recognition into something more menacing. David 
Chaum’s invention of blind digital signatures and nontraceable anony- 
mous cash had the potential to make cyberspace into an identity-free 
zone where one could go underground far more easily and effectively 
than in the physical world. When you spend hard currency in a store, 
for instance, no one asks you for ID papers — but your face marks the 
transaction in the cashier’s mind, particularly if you’re a return cus- 
tomer. (If you wore a bag over your head, you’d probably have trou- 
ble making the payment in the first place.) Using Chaumian protocols, 
you could potentially make all your purchases, send all your mail, even 
receive monies, with total assurance that no one would know who you 
are. But so could kidnappers, child pornographers, and terrorists, 
whose lives would be made much simpler and more secure with such 
tools. 
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Such concerns didn’t faze the cypherpunks. On the contrary, 
they went out of their way to emphasize why the technologies of 
anonymity could be so controversial. A good example was Tim May’s 
announcement of an enterprise he called “BlackNet.” The group did 
not exist, of course. It was a thought experiment he originally figured 
to bring up for discussion at a cypherpunk meeting, but then decided 
to send it out anonymously on the Net. “I sent it through remailers so 
it would add a piquancy, a spiciness to it,” says May, who certainly 
didn’t mind going public with his own beliefs (he usually signed his 
e-mail with a hair-raising list of passions — “crypto anarchy, digital 
money, anonymous networks, digital pseudonyms, black markets, and 
collapse of governments”). 

BlackNet was a guerrilla theater presentation of those interests. 
“Your name has come to our attention,” the message began. “We have 
reason to believe you may be interested in the products and services 
our new organization, BlackNet, has to offer. BlackNet is in the busi- 
ness of buying, selling, trading, and otherwise dealing with informa- 
tion in all its many forms.” The offer went on to explain that with 
public key cryptography, a perfect data black market exists where one 
can get or sell everything from trade secrets to cruise missile plans 
without any risk of being identified. The parties in these transactions 
will not be known to each other, not even to BlackNet. Needless to 
say, no one would ever know who is behind BlackNet: 

Our location in physical space is unimportant. Our location 
in cyberspace is all that matters. Our primary address is the 
PGP key location “BlackNet” and we can be contacted 
(preferably through a chain of anonymous remailers) by 
encrypting a message to our public key (contained below) 
and depositing this message in one of the several locations 
in cyberspace we monitor. 

BlackNet also purported to deal in money, offering to make anony- 
mous deposits in the bank of your choice. You could deal with Black- 
Net using actual cash or “cryptocredits,” BlackNet’s own internal 
currency (which could be used in any sort of untraceable clandestine 
information transaction you chose). And BlackNet itself had no ide- 
ology of its own, save one: “We consider nation-states, export laws, 
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patent laws, national security considerations, and the like to be relics 
of the pre- cyberspace era.” 

To May’s delight, many accepted the BlackNet announcement at 
face value, especially as news of it leaked beyond the crypto commu- 
nity and into the more panic -prone world at large. Though BlackNet 
was fictional, May did believe that in the future we would see similar 
enterprises. It didn’t bother him at all — people were free agents, and 
responsible for themselves. “If people die as a result of this . . . eh\” he 
said. “I didn’t hurt them.” 

All in all, the exercise put a screaming exclamation point to cypher- 
punk philosophy. Crypto anarchy until then may have been the prov- 
ince of science fiction writers, but the tools to make it real were 
arriving. As those digital armaments were put to use, it was possible 
that a thousand BlackNets could bloom. Certainly this was something 
noted inside the Triple Fence — and at FBI headquarters as well. Did 
it portend a movement that had to be stopped? The establishment was 
beginning to think so. 

With the powers of crypto, “we have the capability of 100 percent 
privacy,” admitted security expert Donn Parker. “But if we use this, I 
don’t think society can survive.” 


the clipper chip 


t he creator of the Clipper Chip was an unintentional spook. Clinton 
Brooks’s passion was astronomy. He studied it at Yale during the late 
sixties, and wanted to make it his career, after fulfilling his ROTC 
obligations in the navy. His duty was slated for the Pacific, and he 
planned to move his wife and small children to Hawaii and sail as a 
shipboard communications officer. He didn’t realize that people at a 
certain intelligence agency had other plans for him. 

Several years earlier, Brooks had been assigned for his mandatory 
summer duty to a location unknown to him: Fort George Meade. He 
had driven to Maryland, expecting a typical military base. Instead he 
was intercepted by inscrutable guards outside what looked like a mod- 
ern office building in the middle of nowhere who told him that only 
those with high security clearances could enter. To his surprise, a 
phone call revealed that he already had been granted such a clearance. 
Welcome, Clint Brooks, to the National Security Agency. He might 
have thought of this duty as an interlude, but his superiors had appar- 
ently taken note of his abilities, and offered him an alternative to the 
navy. Not only could he remain in the States, but he’d have a chance 
at a deeper satisfaction — an opportunity to indulge his cosmic yearn- 
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ings, to a degree, by working in top-secret satellite reconnaissance. He 
would not, of course, be able to talk about his work to his friends, 
neighbors, and relatives, because even the title of the satellite organi- 
zation was more closely protected than the No Such Agency itself. But 
it sounded good to Brooks. So he declined his commission on the 
USS Pueblo — the intelligence ship that would be captured by the 
North Koreans a few months later, on January 23, 1968. He would 
work at the agency that dared not speak its name. 

Twenty-four years later, Clint Brooks was an assistant deputy direc- 
tor at the agency that now did speak its name in public. And he found 
himself at the center of a crisis that involved the very mission of the 
National Security Agency: the rise of public cryptography. One day in 
the late spring of 1992, he walked over to the office of a recently 
arrived general counsel of the agency to enlist the newcomer’s aid in 
a campaign that, Brooks hoped, might help the agency get through 
this dangerous passage. 

Traditionally, the NSA general counsel is recruited from outside, a 
lawyer familiar with government work with no particular experience in 
intelligence matters. Someone who can fit into the cloistered culture 
inside the Triple Fence, but who retains a sense of the real world 
beyond. It had been Bobby Ray Inman who first figured out that a 
sharp legal mind just plucked from the fray could best forward the 
agency’s business, and provide a level of oversight that perhaps a 
career spook might not. Ever since Inman’s lawyers helped him navi- 
gate the agency’s problems with academic crypto research, a series of 
sharp, relatively young attorneys had filled the post for a couple of 
years, then each had moved on. 

Stewart Baker fit the mold. Born in 1947 and raised outside 
Detroit, he went to law school at UCLA, clerked for a federal judge, 
then went into private practice for Steptoe and Johnson, one of the 
most prestigious firms in the nation’s capital. He served for a few 
years in Jimmy Carter’s Education Department, then returned to 
Steptoe. When recommended for the NSA job, he’d been unsure 
about it. “Should I do it?” he asked a military friend. “What better 
could you do for your country?” his friend replied. 

Baker had occupied his new office for less than a month before 
Clint Brooks’s visit. It was clear that the spindly, square-jawed NSA 
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lifer was a true believer — but in what? Before he spoke. Brooks placed 
a large bottle of Advil on Stewart Baker’s desk. “You’re going to need 
this,” he said. 

Then Brooks laid out the entire story of how cryptography was 
going public. He told Baker about DES, the strong cipher that wound 
up in more common use than the NSA had expected, then about the 
development of public key, and RSA, and the agency’s troubles with 
the new cryptographic community that led to the compromise of pre- 
publication review. And now, he said, the idea that you could control 
things by vetting academic papers was irrelevant: companies like RSA 
were selling crypto commercially. Baker was aghast. How did you let 
that stuff out? he wanted to know. 

It wasn’t that simple, Brooks explained. The NSA has two roles. 
One, of course, is cracking ciphers and providing great intelligence to 
the rest of the government. But the other is to provide the United 
States with the best possible codes. Inside the Triple Fence, this du- 
ality was referred to as “Equities,” reflecting, no doubt, that both tasks 
were equally important. Clint Brooks was the Equities guy at the NSA. 
It was a thankless balancing act, because an advance in one mission 
was sometimes a threat to the other one. In the old days, at least, the 
debate was confined inside The Fort, but now it took place in the halls 
of Congress and in the pages of the New York Times. Meanwhile, the 
specter of widespread encryption was like a train bearing down not 
just on the NSA but on society in general. Like the cypherpunks, Clint 
Brooks looked into the future and saw crypto everywhere. But while 
the crypto rebels embraced the vision, Brooks understood that this 
new reality was a potential disaster, if the agency did not adjust. 

This was gospel that Brooks had been preaching for several years, 
at first to deaf ears. During most of the 1980s, after director Inman’s 
first skirmishes with the crypto academics, most people at the agency 
hadn’t been much concerned with the possibility that public cryptog- 
raphy would affect them in any significant way. Strong export laws 
kept everything under control, assuring that nothing as strong as DES 
left the country without restrictions. In the chill of the Cold War, Con- 
gress always gave Fort Meade what it asked for. And though an occa- 
sional in-house Cassandra would cite some pundit’s prediction that in 
two or three years widespread commercial crypto would take off, it 
never did seem to happen. So it was easy to think that it might never 


the clipper chip | 229 


happen. Brooks knew otherwise. Beginning around 1988, he came to 
understand the direction the Internet was taking and realized that, this 
time, the threat was real. But his superiors laughed when he tried to 
lecture them. What are you talking about? they’d say. We’re the only 
cryptographers! This is a military technology , not something that peo- 
ple want to use! Only when an Internet revolution became plausible, 
and companies like Lotus actually started to build crypto like RSA into 
their products, did the top levels of the agency come to realize that 
Brooks had a point. So they authorized him to find some sort of solu- 
tion to this conundrum. And Brooks had indeed come up with one. 

That was the reason for Clint Brooks’s visit to Stewart Baker: to get 
him on board with the plan. There was, he explained, a possible way 
out ... a solution that not only could give the unprecedented protec- 
tion of strong crypto to the masses, but that would also preserve the 
government’s ability to get hold of the original plaintext conversations 
and messages. In fact, for the past three years, Brooks revealed, the 
NSA had been creating such a scheme. It involved a technique known 
as key escrow. 

The project had begun in 1989. Brooks, in his role as Fort Meade’s 
Equities man, had been racking his brain to figure out how to recon- 
cile the two seemingly incompatible demands: the need for strong 
public codes and the agency’s need for plaintext traffic. Clearly, no 
solution was perfect. The idea was to strike the proper balance, giving 
users of nonclassified information both inside and outside the govern- 
ment a healthy measure of security, but not so much that the public’s 
safety was abridged. At the time the NSA, acting in accordance with 
the Memorandum of Understanding, had formed the working group 
on cryptography with the National Institute of Standards and Tech- 
nology. In NIST’s acting director Ray Kammer, Brooks found a 
kindred soul. The two of them spent hours going over the prob- 
lem, probing the technical and even philosophical aspects of a crypto 
policy. 

In one of their early discussions, Brooks and Kammer had simulta- 
neously had an epiphany: the use of encryption would have a profound 
effect on law enforcement, particularly in its ability to continue wire- 
tapping. They began visiting people in the Justice Department and the 
FBI, none of whom had the slightest inkling of the troubles that lay 
ahead. Brooks or Kammer would tell them that all the authorizations 
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to wiretap in the world might not help them when crooks used encryp- 
tion, and their jaws would drop. Can’t you help us? the law enforce- 
ment people would ask. 

Brooks had once assumed the solution might lie in a giant decep- 
tion. The agency could create a putatively strong cryptosystem, so 
apparently strong that companies would build it into their products 
and export it around the world. But the agency would have built in a 
“trapdoor,” to allow the NSA secretly to derive plaintext from encoded 
transmissions. But after some clear thinking, he discarded that risky, 
and questionably legal, idea. Such a scheme would entail getting 
decrypted messages from U.S. citizens. You might be able to justify a 
hidden trapdoor to snoop on foreigners, but if Congress or some 
investigative reporter discovered that the NSA had launched a clan- 
destine surveillance plan against Americans, the Church committee 
would look like a picnic. 

So Brooks spent nights awake trying to conjure some other idea. 
On one of those nights, he had a flash. There could be a compromise 
that could satisfy everybody. In the physical world, a search warrant 
compelled a suspect in a crime to give authorities the combination of 
a safe. Why not translate that concept to the world of communications 
and computers? If you created a system by which special duplicate 
encryption keys were somehow spirited away and stored in secure 
facilities, you would essentially be holding lock combinations in 
escrow, unavailable to anyone but those who had authority to retrieve 
them. Those with that legal authority — a search warrant from a judge 
or an understood set of national security criteria — could get the keys 
from the trusted storage facility. Once that access was assured, there 
would be no problem in allowing the encryption itself to be as strong 
as anyone liked. Make it uncrackable! If the FBI or the police needed 
the key, and a judge concurred, then they’d have the wherewithal to 
decipher it, just as if they were the intended recipients. 

To some people at the agency, the scheme was a heresy: You’re 
going to put a back door into a cryptosystem . . . and TELL people 
about it? But full disclosure was a critical part of Brooks’s vision. He 
really wanted this new scheme to kick off a national debate about 
cryptography. Only then, he believed, could an escrow scheme, which 
would require an elaborate infrastructure, be established. With the 
government no longer concerned about getting hold of encoded mes- 
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sages, the path would be free and clear toward a universal blanket of 
crypto, with organized public key distribution, standardized digital 
signatures, and automatic encryption of messages. The privacy nuts 
and conspiracy freaks would raise hell at the idea of escrowed keys. 
But if all the issues were aired, all the dangers addressed, all the bene- 
fits sketched out, surely reasonable people could see that this plan was 
the best way to protect our communications without sacrificing our 
safety. Anyway, what was the alternative? 

Of course, if such a scheme were to be launched, the NSA itself 
would have to change, readjusting its focus so it would operate in a 
highly computerized — and crypto -ized — post— Cold War world. The 
intensity with which The Fort still maintained its veil of secrecy was no 
longer appropriate. If the people were to buy such a radical idea, the 
NSA would have to earn their trust. Thus it was imperative to bring 
the debate on cryptography to the public, treading on once forbidden 
areas with brutal honesty. 

Brooks eventually got approval to pursue his plan, but his idea that 
the NSA should collaborate with the general public was received with 
skepticism or worse. He found himself arguing like some deranged 
Jeremiah. “This has got to be a national policy,” Brooks said at one 
meeting of the top NSA officials. When asked by a deputy director to 
explain further, he replied, “This isn’t a judgment that can be made 
by the director of the National Security Agency or a committee of 
deputies ... it’s a value judgment as to what s in the best interest of 
the country. It has to be decided by the president of the United 
States.” The official who answered directly to the voters! His peers 
thought he’d gone off the deep end. This was the National Security 
Agency, their attitude was, and we don’t do that sort of thing. 

While waiting for the public debate to take shape, Brooks was 
working hard with other agencies to set up a structure for his am- 
bitious key escrow plan. Because of the Memorandum of Under- 
standing, of course, the agency would have to develop the scheme with 
NIST. But that was no problem. The joint technical working group 
had been working on the public crypto situation since the very first 
meeting in March 1989, particularly on the digital signature algo- 
rithm. Public crypto was known within the group as Issue One. 

A third stakeholder in the discussions was the FBI. The early 
alert from Brooks and Kammer had indeed awakened interest at the 
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bureau: in 1991, director William Sessions had written to defense sec- 
retary Dick Cheney about computer security, clearly indicating that 
his agency wanted a voice in determining policy. The FBI, it turned 
out, would actually assume the hardest line on the issue. 

The NSA, of course, did the technical heavy lifting. By 1990, thirty 
of its mathematicians were working on the problem. They quickly set- 
tled on the bedrock of the system, a powerful encryption algorithm 
that had been kicking around Fort Meade for a couple of years. Its 
codename was Skipjack. It was a block cipher like DES but was 
deemed much stronger. Its recommended key length was 80 bits as 
opposed to DES ’s 56; it used 32 rounds of substitution instead of 16. 
(There appears also to have been some more subtle technical reasons 
for Skipjack’s superiority, but of course, the NSA was loath to reveal 
these.) Though Brooks tried to argue that in this new era, it might be 
appropriate to reveal the algorithm — insisting, in fact, that to win over 
their critics they would probably be forced to publish it anyway — he 
met with staunch resistance. Never — never — would the agency allow 
its foes access to what amounted to an advanced course on the cutting 
edge of codemaking. Things don’t work that way at The Fort. 

Skipjack, though, was only a single component of what the NSA 
called Capstone, which was a complete public key system that would 
include the digital signature standard. Of course, this particular 
scheme had an additional complication: how would you implement the 
escrow? You’d have to figure out a way to isolate a copy of each key 
and send that information elsewhere for storage. By 1991, the NSA 
decided that trying to do this in software was too risky — it feared that 
some foe could change the code to build in a weakness — and con- 
cluded that a better method would be to put the whole shebang on a 
tamperproof computer chip. An experienced defense contractor in 
Torrance, California, called Mykotronx was hired to fabricate the 
chips. 

The system itself worked by inserting several new components into 
the classic equation where Alice encrypts and Bob decrypts. One of 
them was the “unique chip identifier.” It was a number that matched 
up with a “chip unique key” that was assigned to a single physical 
chip. Each device — a computer or perhaps a phone — would have its 
own unique chip identifier and chip unique key. 

When two people wanted to communicate privately, they would 
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each have one of those devices. If, for instance, they wanted a phone 
conversation that an eavesdropper couldn’t hear, they’d have special 
phones with the technology built in. Once the connection was made, 
the phones would zip signals to each other (via a Diffie-Hellman 
exchange) to calculate a new symmetrical key, called the session 
key. Using Skipjack, that key would actually encode the sounds of 
each speaker as the sounds left the phone and decrypt those sounds as 
they emerged from the other phone. But along with the encrypted con- 
versation, the phones would transmit another set of bits, called the 
Law Enforcement Access Field (LEAF) . (It was originally called the Law 
Enforcement Exploitation Field, but was changed to a somewhat less 
ominous term.) The LEAF would be generated by a set of calculations 
involving the session key, the chip unique key, and the unique chip 
identifier, winding up with two important components: an encrypted 
version of the session key and the unique chip identifier. All of that 
would be further scrambled by the family key. 

So how would officials get hold of those keys? They would already 
be in possession of one of them, the family key — there’s only one in 
the whole system. The tricky part of the scheme would be getting the 
proper chip unique key and, ultimately, the session key. This would be 
performed by way of the LEAF. 

What if an eavesdropper captures the information on the LEAF? 
Even if he could isolate the chip identifier from the LEAF, it would be 
useless. All the identifier would do, really, is identify. It would point to a 
chip unique key in a vast database. But only the government wiretappers 
would have access to that database, stocked with every chip unique key 
in existence. Having that identifier without a way to get into the escrow 
facility would be like having someone’s fingerprint and no access to 
crime records: it would be of no help whatsoever in telling you who it 
identifies. But a government agent would be able to take that identifier, 
along with a court order, to an escrow facility, and match it up with the 
chip unique key. And then combine it with the family key. Viola! You’d 
have the session key — and the fuzz of an encrypted conversation could 
be transformed into blessed, perhaps incriminating, plain language. 

That led to another complication. Where would the escrowed keys 
be stored? If they were all kept in one place, it would be a potential 
gold mine for all sorts of crooks, spies, and even corrupt U.S. gov- 
ernment agents — anyone with access could get hold of the means to 


234 | crypto 


violate the privacy of every encrypted conversation in the world. So 
Brooks and his colleagues decided that the escrowed keys would be 
split into two pieces that would be stored in different locations. This 
would be done in such a way that obtaining one piece of the key would 
provide no mathematical advantage in discovering the entire key. 
When a judge authorized a wiretap, the law enforcement officer would 
present the warrant to both escrow agents, construct the key, and then 
have the wherewithal to listen to the conversations. 

In late July 1991, all the relevant government agencies met for 
an off-site meeting at the FBI’s Engineering Research Facility in 
Quantico, Virginia, to discuss the alternatives for a national encryp- 
tion policy. Clint Brooks made the opening presentation. As recorded 
by one official in attendance: 

He presented these within the context of a national goal that 
would satisfy the need for good commercial and unclassified 
cryptographic security while protecting the interests and 
responsibilities of national security and law enforcement 
organizations. He termed the achievement of this goal 
“Nirvana.” 

The agencies didn’t reach total agreement. Notably, the FBI appar- 
ently was arguing for the ability to do its decrypting instantaneously, 
or in “real time,” an approach that the NIST people deemed “dra- 
conian and intrusive.” (The FBI approach would essentially dictate 
that the escrow facilities should be a phone call away at any time, and 
safeguards against abuse would go out the window.) But they all 
agreed that a system should provide encryption for the public while 
allowing the cops and the spooks access to the keys — essentially, the 
N SA solution. 

Until the whole government got behind it, the escrow scheme was 
just another flashy technology concocted behind the Triple Fence. 
In order for it to work, it needed to be ubiquitous. As Brooks had 
anticipated — and as his superiors finally came to understand — such a 
sweeping change needed the imprimatur and active support of gov- 
ernment’s highest level, up to George Bush himself. But an election 
was approaching, not the time to air potentially controversial new 
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ideas. In any case, the Bush people seemed unconvinced of the 
urgency of quick action. Brooks figured that in 1993, after Bush was 
returned to the White House, the reelected president would be able to 
tackle the problem, free from worries about what the electorate might 
think. 

But in 1992, two unexpected events dramatically shaped the course 
of Clint Brooks’s key escrow scheme. The first one involved an inno- 
vative product about to be introduced into the marketplace — a twenty- 
four ounce box that connected to the telephone. That pound and a half 
of technology portended tons of problems. The second development 
was the election of a new U.S. president. 

The box’s technical name was the AT&T Telephone Security Device 
(TSD) 3600. For several years, the telecommunications giant had been 
manufacturing secure phones for the government, using a special 
NSA-designed algorithm. In 1992, the company decided to broaden 
its market outside the government, and began limited sales of a voice 
data scrambler that used an encryption algorithm devised by AT&T’s 
own crypto team. That autumn, it decided to follow up on an even 
wider scale — by launching a secure phone designed to sell by the 
thousands. If you were worried about snoopers listening for sensitive 
data involving intellectual property, trade issues, and business strate- 
gies, you’d want one of these. You didn’t have to be an engineer or a 
nerd to use it, either. “It connects easily to desk telephones or . . . 
mobile cellular phones,” gushed company literature. “And it’s as easy 
to use as it is portable. To protect conversations, the user simply 
pushes a single button. The call is automatically encrypted and the 
conversation secured.” AT&T also claimed that the voice quality on 
this device was, unlike the relatively fuzzy phones that the military 
used, almost as good as that of a regular telephone. 

What’s more, this new phone would use the most trusted encryp- 
tion algorithm of all to scramble voice: DES, the cipher that was still 
a hot button behind the Triple Fence. 

The NSA, of course, was unhappy at this new use of the problem 
child it had once blessed. But news of AT&T’s plan was even more 
troubling to the FBI. The law enforcement agency had already been 
complaining that new telephone features like cellular service and call 
forwarding were making it more difficult to implement wiretaps. Its 


f 


236 | crypto 


solution was to propose a new bill, known within the Beltway simply 
as “Digital Telephony.” The law would mandate that all new tele- 
communications equipment be designed with wiretaps in mind; it 
essentially banned new devices and services that denied the govern- 
ment an easy way to conduct surveillance. Critics were already howl- 
ing. It was bad enough that the bill would cost equipment makers 
hundreds of millions of dollars (presumably a cost passed on to con- 
sumers) . Much worse was the central premise behind the legislation, 
which required the tail of wiretaps to wag the dog of telecommunica- 
tions. Instead of encouraging one of the country’s most innovative 
industries to produce the systems that would sustain America’s high- 
tech success in the global marketplace, Congress would be locking a 
ball and chain on innovations. And for what? Just to keep its ears open 
to approximately 1 000 annual federal wiretaps, to glean information 
that could arguably be recovered by other means, like hidden bugs or 
informants? 

Though Digital Telephony didn’t mention cryptography specifically, 
the specter of crypto restrictions hung over the legislation like some 
digital Sword of Damocles. As Brooks and Kammer had explained to 
the FBI, strong crypto could totally screw up the benefits of the bill. 
Even if Digital Telephony passed, and the industry faithfully followed 
its strictures, the G-men and other police agencies would be able to 
monitor the transmissions sent over the wires or the air — but then 
what? If those communications were scrambled, those precious inter- 
cepts would be no more than useless static. FBI director William 
Sessions got the message and made sure that G-men would be partic- 
ipants in the NSA-NIST effort to deal with the problem. 

Now the FBI was freaking. Here was this new AT&T phone, 
designed to move secure-phone technology from a status item on the 
desks of national security advisors to a common commercial product, 
one used by executives, lawyers, and scientists, not to mention privacy 
nuts, crooks, terrorists, and God knows who else. It would be a law 
enforcement disaster . . . unless there was a way that the government 
could somehow overhear those conversations as they were before 
encryption. Wasn’t that what Clint Brooks had figured out? So Brooks 
and his team were asked if the Capstone chip might go into the AT&T 
phone. As the Capstone was originally conceived, it was too demand- 
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ing for the TSD 3600 — with all its features, such as the digital signa- 
tures, it would require more computation than the device could han- 
dle. But maybe if the NSA carved out just the encryption algorithm 
and key escrow, it could come up with something that could simply be 
clipped into the phone in place of the DES chip. 

Even while agreeing that it could be done, Brooks was wary. The 
Capstone chip was well designed and represented a complete solu- 
tion. Coming up with something new would be riskier — and to do it 
in time to stave off the AT&T phone, it would have to be done very 
quickly. There would be no time for the national debate he felt was so 
essential. 

But the FBI couldn’t wait. On October 13, 1992, Judge Sessions 
himself placed a call to AT&T’s chief executive officer Robert Allen. 
We’ve got a problem, he told him, and then outlined problem and solu- 
tion: Would AT&T consider using an escrow encryption chip instead 
of its DES -based system? If the company agreed, the feds could offer 
considerable carrots. For one thing, AT&T could claim that it was 
actually providing mightier encryption, since Skipjack was much more 
difficult for outsiders to crack than DES. Furthermore, the United 
States would probably allow this key escrow phone to be exported. 
Best of all was a promise directed toward the bottom line: the federal 
government would buy thousands of units for its own use. 

The downside, of course, would be that potential corporate buyers 
would have to buy into the basic compromise that escrow entailed: the 
encryption would be strong, but one not necessarily welcome third 
party would also have a copy of the key. 

Sound familiar? It was the same situation that Whit Diffie had 
found utterly intolerable two decades earlier: the difficulty of two peo- 
ple seeking intimacy when someone else is in the bed. Diffie had 
invented public key in order to avoid this perversion of the crypto- 
graphic relationship. Indeed, the AT&T phone as originally conceived 
was an embodiment of Diffie’s vision. The users of the phone would 
not need to exchange secret keys beforehand. Instead, the two respec- 
tive phone devices would furiously perform the calculations of a 
Diffie -Heilman key exchange, in order to settle on a secure DES key 
that would encrypt, and then decrypt, the actual conversation. No 
need for anyone else. You wouldn’t want anyone else. 
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But the bounty offered to AT&T — and the chance to avoid a gov- 
ernment confrontation — was too juicy to turn down. The phone com- 
pany signed off on a deal: if the government would adopt a plan to 
make key escrow its standard, AT&T would forgo its DES scheme and 
install a government-designed chip in the device instead. This would 
be the stripped-down version of Capstone, using the Skipjack algo- 
rithm and the escrow features, but without the signature or hashing 
algorithms. It was given a new code name: Clipper. 

“We knew no decision would make everybody happy,” said an 
AT&T spokesperson. “But frankly, the Clipper Chip offered an impor- 
tant law enforcement issue and increased the level of protection.” More 
to the point, it also offered guaranteed sales, and the continued good- 
will of one of AT&T’s major customers, the United States government 
(at the time, the company was negotiating a government contract 
worth over $10 billion). If key escrow became government policy, 
AT&T would happily be on board. 

But Clipper was still nowhere close to being the official government 
policy. Clint Brooks and the NSA needed one more big break before 
they could begin their journey toward Nirvana. That break came on 
November 3, 1992, when the United States went to the polling place 
and elected William Jefferson Clinton its president, with Albert Gore 
as his vice president. 

It might appear counterintuitive to think that those election results 
favored the NSA. After all, Clinton was a Democrat who had spent the 
Vietnam years speaking against the conflict instead of fighting in it. 
During the campaign, Clinton had visited Silicon Valley, and while he 
had made no promises, he indicated that his presidency would be a 
friend to private crypto. “He talked about how silly it was that there 
were export controls on off-the-shelf software,” remembers privacy 
advocate Marc Rotenberg. “He didn’t say ‘encryption’ specifically, but 
that’s clearly what he was referring to.” 

Another sign that Clinton might not be NSA-friendly was the nature 
of the people surrounding him. For instance, the head of his transition 
team was a former electronics lobbyist named John Podesta, who had 
vociferously supported the industry agenda of liberalizing export rules. 
Besides Podesta, Clinton’s minions included a number of people who 
seemed tuned into the hip and crypto -friendly cyber world. 

Chief among that contingent was the vice president himself — a self- 
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styled computer aficionado to whom Clinton would delegate the ulti- 
mate decision on the cryptography issue. In fact, A1 Gore’s presence 
as the nation’s second-in-command was often cited as proof that the 
new leadership team was a nerd-friendly future squad who “got” the 
new Internet paradigms. Their campaign speeches might have been 
about bridges to the future, but Gore’s vision was of an Informa- 
tion Highway to transform the country and indeed the globe. Gore 
arranged to bring some of the most techno-sawy Senate staffers to the 
White House to help on digital matters, people like Mike Nelson, a 
former MIT geophysicist experienced in Info-Highway issues. They 
were “extremely smart, conscious freedom-lovers,” wrote John Perry 
Barlow, who got to know them in his role as Electronic Frontier Foun- 
dation cofounder. “Hell, a lot of them are Deadheads. I was sure that 
after they were fully moved in, they’d face down the National Security 
Agency and the FBI.” 

Barlow had mistakenly assumed that because the Clinton staffers 
recognized the opening chords of “Sugar Magnolia,” they’d be im- 
mune to top-secret doom lectures from the star-spangled crypto boys 
at Fort George Meade. Behind the Triple Fence, the expectations were 
just the opposite. The spooks understood that Bill Clinton and his 
peach-fuzz tech squad were a godsend for the escrow idea. The Bush 
administration had never warmed to the escrow plan. The problem 
wasn’t so much that the Bush people were specifically against this par- 
ticular scheme. They were against anything that required a little gump- 
tion. “The Bush people had spent twelve years in power, most of them 
with a Democratic Congress, and they knew that everything that could 
blow up, would blow up,” one insider explained. “When you pre- 
sented something to them, you got nothing but eyes staring out. . . . 
You could sense that everyone was thinking, ‘How might this end up 
on my suit?’ ” 

In contrast, the Clinton people were policy joyriders, like teenagers 
finally granted their turn behind the wheel. They were totally juiced 
that after twelve years of dinosaur rule, they now had their chance to 
fix things. They were also detail freaks, eager to belly flop into the 
huge piles of clauses, footnotes, and trivia that embodied the process 
of governing. Present them with an idea and they surrounded it, tick- 
led it, tore it apart to see its gears rattle, and wondered how they could 
make it work for them. They drew confidence from a belief that their 
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own good intentions were obvious, and even if their efforts didn’t pan 
out, the public would give them credit for trying to do the right thing. 

The forces pushing key escrow didn’t even wait until the new 
administration reached the White House before they hit Clinton and 
Gore with the encryption problem. The AT&T phone threat provided 
an impetus. “Suddenly this wasn’t something where we could wait, do 
an orderly briefing of the new administration, let them get their feet 
under them, appoint their assistant secretaries, and make a decision in 
1994,” says Stewart Baker. The idea of getting George Bush to sign off 
before vacating the White House had been considered, but rejected. 
“We believe that going forward with the installation of the Clipper 
Chip based on the approval of the current administration has some 
potential pitfalls,” wrote an FBI official to director Sessions in a late- 
1992 memo. What if the news of an “exploitable” chip leaked before 
the Clinton people formally approved the policy? “It might result in 
their being pushed toward disavowing the prior Bush administration 
approach in order to prevent the controversy.” 

Judge Sessions himself, whose fear of losing precious wiretaps had 
made him increasingly frantic on the issue, was the first one to hit Lit- 
tle Rock. “It had become his highest priority,” says a government offi- 
cial working for key escrow. “He was fearless in going to the transition 
team and saying, ‘You guys may be coming in January, but you’ve got 
to hear this now.’ ” In any case, the NSA was just as happy to let him 
lead. After all, Fort Meade’s stated role in government was not pro- 
moting policy decisions but providing technical background and intel- 
ligence information from its files. 

To frame the issues, the FBI, with the NSA’s help, prepared a paper 
entitled “Encryption, Law Enforcement, and National Security.” The 
classified document was packed with high-impact scenarios of what 
might happen if crypto ran free. It discussed the AT&T device as a 
possible trigger for this onslaught. But the coming disaster might be 
averted. “The solution is an encryption chip that provides extra privacy 
protection (at least a million times stronger than DES) but one that 
can be read by U.S. government officials when authorized by law. . . . 
This ‘key escrow’ system would protect U.S. citizens and companies 
from invasion of their privacy by hackers, competitors, and foreign 
governments. At the same time, it would allow law enforcement to 
conduct wiretaps in precisely the same circumstances as are currently 
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permitted under the law.” While the description sounded very much 
like a panacea to an otherwise apocalyptic problem, the paper did 
include one possibly annoying consequence of the policy: “This con- 
cept undoubtedly will be vigorously attacked by those who fear law 
enforcement abuses and thus would rather rely on technology than on 
the court to protect their privacy.” But that seemed rather an easy 
trade-off to make. Which would you rather tolerate — a bit of flak from 
privacy nuts, or a powerful weapon in the hands of kidnappers and 
terrorists? 

Stewart Baker was the NSA’s point man on the issue, and wound 
up coordinating much of the effort to sell escrow to the incoming 
leadership. While Fort Meade was packed with geniuses, it wasn’t as 
loaded with people who were comfortable dealing with the outside 
world. Baker had come a long way since Clint Brooks had come to his 
office and first told him about Equities. In that time, he had gotten a 
good view of the cryptographic landscape from the N SA point of view. 
He saw where it all fit together. You couldn’t mandate what people 
inside the country used nor could you keep every copy of a program 
like PGP away from every geek on the globe. But realistically, not 
many people were going to take the trouble to find exotic encryption 
software like PGP and figure out how to use it. Export controls were 
the way you stopped good crypto — everything from DES on up — 
from being built into the systems people used every day, and thus, out 
of the hands of most bad guys. 

Baker saw the Clipper scheme as a way of weaning the government 
from its dependence on export controls to contain crypto. There were 
signs that Congress might not support those regulations indefinitely. 
The business community was getting louder and louder in its opposi- 
tion to them. The problem was, the software industry had grown up in 
an environment with few regulations, and was now a multibillion- 
dollar colossus. It felt that the natural order of things was to fight 
things out in the marketplace while the government remained some 
distant entity. The techies seemed to regard the premier crypto agency 
in the world as some doddering, irrelevant artifact of the Cold War. 
Their philosophy was he y, technology happens. Baker was horrified 
once when a Microsoft middle manager blithely told Baker that Bill 
Gates was going to put crypto into the Microsoft operating system, that 
it was going to be in all the applications. Who cares whether it would 
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empower terrorists or rogue nations? Their attitude was, “Encryption 
is cool, let’s put it anywhere.” 

The techies weren’t unpatriotic, Baker thought, just clueless about 
the very real dangers in the world. They thought it was a joke that 
crypto was classified along with heavy munitions. But the ability to lis- 
ten in on the world — with a vast multibillion -dollar network of secret 
satellites, radar installations, and ground sensors — was a pillar of U.S. 
defense policy. How did they think we discovered those Libyan terror- 
ists who brought down the Pan Am jet over Lockerbie? How else to 
keep track of the North Korean nuke program or Iraq’s use of chemi- 
cal weapons against the Kurds? The public had only heard hints of the 
importance of those “intercepts,” signals snatched from telephone con- 
versations, digital transfers, and even walkie-talkie transmissions. Most 
of it was classified, deep black stuff. That’s why there were no reporters 
when George Bush himself had ventured to The Fort to extend his per- 
sonal congratulations to the codebreakers for their work during the 
Gulf War. Just what did the spooks do? If the public only knew. . . . 

Baker and his fellow advocates of escrow thought it essential that 
the worldview taken by the new administration be a more realistic and 
tougher one. Encryption should be an important part of the Net- 
worked Society, sure, but you needed controls. You needed limits. You 
needed a way for the good guys to hear what the terrorists and crooks 
were saying to each other. 

Early in the campaign to win the hearts and minds of the Clinton 
people, Baker and Sessions briefed Leon Fuerth, who would become 
A1 Gore’s national security advisor. Though Fuerth was cautious, the 
escrow advocates could see that their presentation had hit the mark. 
They thought they could see it in his face: the realization that the elec- 
tion campaign was over and now the Clinton folks were going to be 
wrestling with some hard, hard issues. This was one that the NSA and 
the FBI could win. 

As December rolled on, the briefings continued. And not long after 
the inauguration, A1 Gore himself got exposed to the religion by NSA 
director McConnell and Clint Brooks. It was a bull’s-eye for The Fort. 
Because Gore loved technology, he was able to appreciate the ingenu- 
ity of the key escrow scheme. A neo-Luddite Republican might have 
fuzzed out on those particulars, but Gore’s openness toward the idea 
seemed tied to his perception that these software gears and levers 
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might actually work, providing a solution that gave something to 
everybody. 

As the Clinton-Gore teams shifted from transition to governing, the 
Clipper people stepped up the meetings. Memos flew between the 
NSA and NIST on how best to anticipate and respond to possible 
objections. They knew one potential problem: Fort Meade’s insistence 
on keeping the Clipper’s workings a secret from the public. Brooks 
tried to convince his colleagues to open up, but failed. His fallback 
plan was somehow to gin up some assurances that the NSA hadn’t 
intentionally weakened Skipjack for its own purposes. “Get a panel of 
academics from cryptomath/ analyst community to examine classified 
level SKIPJACK to ‘assure’ it is valid/ good algorithm,” he scrawled on 
a memo to his director on January 5. “Who should it be?” 

Meanwhile, in the White House, the barrage of briefings was hav- 
ing its effect. In their first weeks in office, Clinton and Gore hadn’t 
signed off on Clipper. But their staffs were coming to the conclusion 
that there was no other alternative. 

John Podesta was already on board. Maybe his personal tipping 
point came very early after the inauguration when some high-tech lob- 
byists came to visit him. At this point, civil libertarians and software 
industry people were still hoping that the new administration would 
act against the spooks and the cops and liberalize crypto export regu- 
lations. (If they’d known about the Clipper Chip they would have gone 
ballistic.) Podesta, still dazzled by the new toys in his office, showed 
them his STU-III phone, the standard-issue crypto phone the govern- 
ment had used for about five years. They sneered at it. “Typical clunky 
government solution,” they said. “But you know what’s cool? AT&T 
is going to make a device that’s half the size, much cheaper, and will 
do everything that one does, but better. You should buy those'.” 
Though the high-tech guys didn’t know it, their comments resonated 
with the briefings Podesta had been getting. If the government didn’t 
do something, those damn devices probably would sweep the market. 

Not that the NSA/FBI Clipper cabal was relying on serendipity to 
bring the Clinton folks around. They were essentially stacking the 
deck, presenting a limited set of options to the greenhorns. Want to do 
nothing, and let the marketplace take its course? Fine. If you want to 
trigger crypto anarchy, that is. Doing nothing, they warned, would 
mean that AT&T would begin selling its phones and the next thing 
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you knew the costs would come down and everybody would be talk- 
ing on secure phones and e-mailing with crypto software. The smoke 
had hardly cleared from the World Trade Center bombing. What if 
another, maybe a worse, terrorist disaster came, and it turned out that 
the government failed to prevent it because the perpetrators were able 
to communicate with unbreakable crypto? You want to give Saddam 
Hussein access to ciphers we can’t break? Go ahead — do nothing. The 
blood will be on your hands. This terrified the Clinton people. 

The other alternative, which some law enforcement hardliners were 
urging, was even more extreme: ban crypto within the United States. 
In one of the FBI’s presentations, illustrated by a slide show with 
bullet charts to underline the salient points, the G-men merged their 
Clipper -related goals with their Digital Telephony vision. Essentially, 
the show said: because the domestic use of encryption is not regu- 
lated, there is a NEED FOR A NATIONAL POLICY that allows “le- 
gitimate” users crypto strong enough to foil their adversaries but also 
“insures that cryptographic devices and systems are capable of real- 
time encryption by law enforcement.” The implication was unavoid- 
able: any cryptography that does not meet that standard should be 
prohibited. Even stuff distributed by American manufacturers for 
American users. Otherwise, an intolerable “electronic sanctuary” 
would exist. Forget about the strategy of using export controls to miti- 
gate what people used inside the country. . . . Our nation was at risk 
because such tools were legally available to anyone motivated enough 
to find them. Just as it was illegal to have nuclear weapons lying 
around, it should be illegal to have codes that could fall into the hands 
of those who would destroy society with it. In a weird way, this senti- 
ment echoed Phil Zimmermann: when crypto is outlawed, only outlaws 
will have crypto. 

The Clinton people did manage to resist that demand, which would 
have started riots in Silicon Valley and probably wouldn’t have sur- 
vived a court challenge anyway. The Gore team in particular was sen- 
sitive to the idea that the emerging Information Highway needed 
privacy protections. Besides, how would you enforce such a ban? 
What did these guys want the government to do, go house to house 
and search people’s hard disk drives for copies of PGP? 

So, after being presented with two unpalatable alternatives, the 
Clinton people were offered a third way, one which, in contrast, 
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seemed a compromise with which everyone could live. In retro- 
spect, one administration insider came to see it as akin to the choices 
offered the Kennedy people on the invasion of Cuba — a cowardly 
evasion of the problem, a destabilizing full-scale military operation, 
or this other plan, a small operation at some place called the Bay of 
Pigs. 

The scheme was presented to the Clinton people as plug-ready, 
poised to go into operation as soon as the president gave the word. 
Even temporary inaction would mean a severe and probably lingering 
loss of respect from the law-and-order constituency the administration 
needed. One of the FBI men briefing the Clinton people was a burly, 
street-smart assistant director named James Kallstrom. Formerly head 
of the bureau’s technology team, he had made his bones in the bug- 
ging operation that took down John Gotti. Some people described him 
as the FBI’s version of “Q,” the gadget wizard of the James Bond 
films. He had an in-your-face style of briefing, making eye contact and 
personalizing his rap. Are you married? Do you have a child? he’d ask. 
Then he’d launch into a scenario in which someone had kidnapped 
one of your kids and was holding him in a fortress up in the Bronx. 
The bureau suspects your kid is there; they have a search warrant to 
find him. But the crooks have constructed the fortress out of some 
new metal that can’t be penetrated. Your kid’s potential rescuers can’t 
get in. What a nightmare: the kidnappers, with their precious hostage, 
watching you and the G-men trying to get in and laughing at you. 

“That’s what the basis of this issue really is,” Kallstrom would say 
in his New York accent. “From the standpoint of law enforcement, 
there’s a super-big threat — this guy is gonna build this domain in the 
Bronx right now, because he’s got a big steel door, and none of the 
welding torches, none of the boomerangs, nothing we have is gonna 
blast our way in there. Sure, we want those new steel doors ourselves, 
to protect our banks, to protect the American trade secrets, patent 
rights, technology. But do we want a digital superhighway where 
major criminals can operate impervious to the legal process? If we 
don’t want that, then we have to look at Clipper.” 

Kallstrom, along with Baker, Brooks, McConnell, and the CIA’s 
John Deutch, became part of the key escrow team ostensibly briefing 
the administration on its options, but really steering it, with one hand 
on the scruff of its Democratic neck, toward an inevitable embrace of 
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Clipper. One unexpectedly ally was commerce secretary Ron Brown; 
in the first briefing he attended, Brown mentioned that his army days 
had been spent at an NSA listening post, and he was fully aware of the 
vital importance of signals intelligence. By now the briefings included 
not only national security people but the Clinton -Gore science staffers 
like the Office of Science and Technology Policy’s Mike Nelson, info- 
nauts well attuned to issues like personal privacy and the industry’s 
need for secure systems. (Nelson got his top-secret clearance in a 
lightning-quick three weeks.) In a January 26 FBI briefing, Kallstrom 
laid out a lot of the fine points of the scheme, but Gore’s senior direc- 
tor on intelligence programs, George Tenet, had further questions on 
the Clipper methodology. Who would be the key escrow agents? How 
would the international aspects be handled? A lengthy February 9 
memo from Judge Sessions gave a detailed summary of the plan and 
the dire implications that would ensue if no action was taken. 

So, barely a month into the Clinton administration, the pressure was 
intense to move on Clipper. Supposedly, AT&T would ship ten thou- 
sand DES -equipped phone devices by April 1 if no action was taken. 
But by then, the administration’s crypto team — consisting of national 
security people and Internet specialists — had almost imperceptibly 
shifted from decision making to implementation. It was their first big 
initiative, and they wanted it done fast: the word “closure” kept pop- 
ping up in their correspondence. A typical internal memo, dated 
March 5, was from George Tenet to Gore’s national security advisor 
Leon Fuerth and his colleague William Wise: the header read “HELP 
HELP HELP.” Then, “Desperately need time from the VP” — for a 
meeting with the past and current NSA directors on the encryption 
issue. “I think I know what the VP wants to hear McConnell/Stude- 
man talk about,” Tenet continued, finishing with the odd closing, 
“God bless you all.” 

All through March, the meetings continued. Meanwhile, industry 
and civil liberties groups were lobbying the newcomers, still hoping 
that the new administration would be amenable to considerable reform 
on crypto. “You’re holding back e-commerce, you’re endangering the 
security network, and besides, it’s all out of control, anyway!” one of 
them shouted at Gore’s people. But the Clinton people had already 
mentally aligned themselves with the government insiders at the NSA, 
the FBI, the Justice Department, and the CIA. The classified briefings 
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had done the trick, particularly the warning that if no action was 
taken, people will die. Are you willing to sacrifice human lives, they 
were asked, for a fraction of a decimal point rise in the GNP? The tack 
was devastatingly effective: the dilemma was essentially resolved by 
framing it as a choice between thousands of people dying and Bill 
Gates being 10 percent richer. “That’s a pretty easy decision,” says an 
administration official. 

Not that there weren’t qualms within the White House. The biggest 
question the Clinton aides asked themselves was, “Why would anyone 
want Clipper?” (After all, the plan was supposed to be voluntary.) 
Another problem was the requirement that the Skipjack algorithm 
remain under wraps. It was inevitable that its secrecy would lead crit- 
ics to charge that the scheme was a Trojan horse to bring flawed crypto 
into the infrastructure. But the NSA wouldn’t budge on secrecy. 

Finally, there was the problem of how the key escrow scheme would 
play overseas. If a crypto solution was not global, it would be use- 
less. If buyers abroad did not trust U.S. products with the escrow 
scheme, they would eschew those products and buy instead from 
manufacturers in Switzerland, Germany, or even Russia. And how 
could you handle key escrow in other countries? Should the United 
States allow access to stored keys to free -speech-challenged nations 
like Singapore, or China? And would France, Egypt, Japan, and other 
countries be happy to let their citizens use products that allowed 
spooks in the United States to decipher conversations but not their 
own law enforcement and intelligence agencies? The answers to those 
questions were not forthcoming because the planners of Clipper never 
did work out a solution to its global implications — another conse- 
quence that came with rushing Clipper out of the door. 

None of those objections were sufficient to sink the plan. At six in 
the evening on March 31, 1993, in the White House Situation Room, 
Vice President Gore went over the proposed directives in a meeting 
that included the whole gamut of law enforcement, intelligence, and 
national security leaders. Not long afterward, he briefed the president 
with his recommendation. Bill Clinton agreed. 

Clipper was a go. 

From that point the operation shifted to what one participant calls 
“White House Marketing.” Press releases were drafted. Mike Nelson 
set about writing an explanation of the proposal in question -and- 
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answer form. Then on the eve of the announcement itself, the White 
House prebriefed a number of representatives from Congress, indus- 
try, and the civil liberties groups on the issue, not so much to collect 
feedback as to forestall charges that the Clinton people had blindsided 
them with the abrupt change in course. 

Still, no one at the White House anticipated a major clamor over 
Clipper. But Clint Brooks saw trouble coming — this issue had the 
potential to leak outside the Beltway, to make real enemies out of 
potential sympathizers. They just don’t get it, he complained to Stew 
Baker on one drive between Fort Meade and the White House. At one 
meeting, he asked, “Who’s going to handle this on Larry King Live?” 
His question was ignored. A few minutes later, he repeated it. A senior 
administration official sternly told him, “Clint, we appreciate your 
sense of humor but this is really serious — you handle the technical 
stuff and we’ll handle the political stuff.” (Some months later, when A1 
Gore appeared on Larry King Live to talk about the Information High- 
way, the first question posed to him was about ... the Clipper Chip.) 

The briefings with Congress and industry went pretty much as 
expected: the proposal was received cautiously, even skeptically, but 
not dismissed out of hand. One legislative staffer complained that 
when the Clinton people were challenged, they went on the offensive. 
“Do you want to be responsible for kidnappers?” the Clintonistas 
would ask, and the legislators would crumble. The sessions with civil 
liberties groups weren’t so cordial. John Perry Barlow of the Elec- 
tronic Frontier Foundation got one of those last-minute briefings and 
couldn’t believe his ears. He felt that his new friends in the White 
House had been “drinking the Kool-Aid,” a national security version 
of Jonestown. What particularly offended him was Mike Nelson’s 
invocation of the classified information he had heard and Barlow had 
not. “If only I could tell you what I know, you’d feel the same way I 
do,” Nelson said. Thousands could die, he confided. Barlow felt he 
was hearing the same phony music that had been sung by the Vietnam 
warmongers. What Clipper really represented, he felt, was a plan that 
would “initiate a process that might end freedom in America.” 

Then there was Clint Brooks’s effort to get outside experts the 
information necessary to explain the benign nature of the system to 
the public. The night before the announcement, Brooks himself ven- 
tured through a driving rain to brief Georgetown computer science 
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professor Dorothy Denning, his first choice to lead the panel to vet the 
classified Skipjack algorithm. It would be an inspired choice. Denning 
was an expert on crypto and computer security but her demeanor was 
as benign as Betty Crocker’s. (Science fiction writer Bruce Sterling 
once described the diminutive woman as “something like a Pilgrim 
maiden behind leaden glass.”) She was already on the record as sup- 
porting the regulation of cryptography, and coincidentally at the time 
of Brooks’s visit had just experienced an awkward situation in which 
she’d been unable to get into her locker after a swim in the university’s 
indoor pool; only helpful maintenance men with heavy-duty cutters 
(the equivalent of escrow agents!) saved her from venturing into forty- 
degree weather in her wet bathing suit. Not only was she ready to 
defend key escrow, she came to feel it was her destiny. 

On April 16, President Clinton unveiled the new initiative. In his 
press secretary’s announcement of the plan, the issue was presented to 
the public as a middle ground between two dreadful extremes — much 
as the situation had been presented to the administration by the NSA. 
Seen through that filter, the Clipper Chip was to be regarded as a 
godsend: 

The chip is an important step in addressing the problem 
of encryption’s dual -edged sword: encryption helps the pri- 
vacy of individuals and industry, but it can also shield crim- 
inals and terrorists. We need the “Clipper Chip” and other 
approaches that can both provide law-abiding citizens with 
access to the encryption they need and prevent criminals 
from using it to hide their illegal activities. 

The actual announcement did not establish Clipper as a standard, 
but it did affirm that the government itself was committed to buying 
thousands of the AT&T Clipper- inside devices for its own agencies. 
The hope was that while Clipper was designed to be a voluntary stan- 
dard, its adoption and endorsement by the government would tip the 
marketplace to make it ubiquitous. The ultimate recommendation 
would come after Clinton received the results of a widespread blue- 
ribbon review on the national crypto policy that would look at the 
escrow initiative and reevaluate the export laws. 

With that announcement, Bill Clinton and his people felt that they 
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had made a big step toward avoiding what seemed like a disastrous 
collision in the crypto world, one that had seemed predestined since 
the day that Whit Diffie figured out how to split the cryptographic key. 
In fact, the Clipper Chip did mark the turning point in the battle, but 
not at all in the way the Clinton administration had intended. By pro- 
moting Clipper as its key escrow flagship, the government profoundly 
erred. Instead of a nuanced debate on encryption, from that point on 
the merits — and drawbacks — of this particular scheme would become 
the main crypto battleground. Clipper itself was the issue, and Clipper 
as proposed was vulnerable. And Clint Brooks, who was more than 
anyone its architect, saw what was happening, but was powerless to 
prevent it. 


At first, things didn’t look so bad. From the vantage point of the White 
House and Fort Meade, it appeared that what relatively little public 
attention the Clipper Chip had garnered was fairly balanced. The New 
York Times article, published on the day of the announcement, had set 
a reasonable tone, right from its lead. The Clinton administration was 
“about to announce a plan to preserve privacy in electronic communi- 
cations . . . while also insuring the government’s right to eavesdrop for 
law enforcement and national security reasons.” Balance. Of course, 
the article did quote one industry representative as saying, “The gov- 
ernment is creating a monster.” 

In the days following, there was no rush to embrace the plan by the 
various stakeholders who might be affected by it. The feds took suc- 
cor, though, in the lack of a widespread outcry against it. The Inter- 
net, of course, was buzzing with fears of police-state tactics, but on 
the other hand, Dorothy Denning had almost immediately posted a 
clear-headed description of the system itself and was already serving 
as an example that the crypto community was not universally anti- 
Clipper. Better yet, an unexpectedly friendly description of the plan 
came from Marty Heilman, whom Brooks had briefed by phone on the 
eve of the announcement. Heilman’s explanation of the scheme was 
cautiously neutral (though he did warn that there should be safe- 
guards in the legal process leading to key retrieval), and was posted on 
the influential “Interesting People” mailing list run by Net gadfly 
David Farber. 
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On April 20, Clint Brooks wrote a memo reflecting his optimism. 
“The reactions I am getting from academic and industry people is that 
this may succeed,” he wrote. So much so, these people were telling 
him, that the government may have not allocated enough digits in the 
chip identification fields to handle all the Clippers that would come 
into use. A hundred million would not be enough! 

But that initial success was illusory, like a second-rate baseball team 
sitting in first place after a lucky string of April wins. The first serious 
rumbles came from the crucial information industries. After going 
over the plan, they concluded that the opportunity it offered to build 
strong exportable crypto into their systems was more than canceled 
out by the presence of the Law Enforcement Access Field, which pro- 
vided keys to government snoops with warrants. The point of export- 
ing crypto, after all, was to serve customers overseas. But what foreign 
companies wanted to buy a security system where the keys were stored 
in United States government escrow facilities? The business leaders 
joined with the already skeptical civil liberties people and fed on the 
energy of the grassroots Internet folk, who’d hated it from the get-go. 
Then they all took their case to the media. Though the reaction took 
a few months to build, the Clipper coverage eventually exceeded all 
the publicity that any previous cryptological development had ever 
received. 

Little of it was favorable. All the time the government was planning 
its key escrow initiative, its creators had implicitly believed that only an 
isolated few would question their motives. They saw the selling of Clip- 
per as a process by which responsible people would have a number of 
concerns, and the government would respond to those. One prime 
concern, they figured, would be a fear that the mechanics of the escrow 
scheme would somehow compromise the security of the encryption 
itself, making it easier for crooks and spies from other countries to do 
the unscrambling. Another would be that the key escrow facilities 
themselves might be vulnerable. What this thinking didn’t account 
for was that the very basis for the scheme — a government means by 
which to flip the “descramble” switch for its own purposes — was 
offensive to most people. All opponents had to do was use a simple 
analogy — What if you had to leave a copy of your front door key at 
the police station? — and even a Joe Sixpack who didn’t know encryp- 
tion from a forward pass would be an anti-Clipper convert. “The idea 
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that government holds the keys to all our locks, even before anyone 
has been accused of committing a crime, doesn’t parse with the pub- 
lic,” explained Jerry Berman of the EFF. “It’s not America.” 

Others didn’t need such analogies. One of the basic reasons many 
people wanted to use crypto was to keep information from the gov- 
ernment itself. Not that they were necessarily lawbreakers. They sim- 
ply didn’t trust the government. The bureaucrats who made the plan 
were a generation removed from Watergate, but anyone who had been 
around in the seventies might have known better. 

Former NSA director Bobby Inman, for instance, got an early brief- 
ing on the Clipper Chip and he sensed right away that it was doomed. 
Who wanted to give the government a direct pipeline to your infor- 
mation? The cypherpunks understood this, and immediately initiated 
a guerrilla campaign to infect the media and the general population 
with the anti- Clipper message. At their monthly meeting, Eric Hughes 
solicited an agenda of possible actions including everything from 
advocacy press kits to stumping for a procrypto constitutional amend- 
ment. Tim May suggested active sabotage of Clipper, or a boycott of 
AT&T. One effective prank they did pull off was distributing a little 
decal to stick on your laptop. Designed to resemble the famous Intel 
Inside logo, it read, “Big Brother Inside.” That pretty much said it all. 
(Intel quickly threatened to sue for trademark infringement, and the 
offending cypherpunks stopped distributing the stickers.) 

Opposition came from all quarters. The ACLU found itself agree- 
ing with Rush Limbaugh, who attacked Clipper on his radio show. 
Digital hippies savored the William S afire column “Sink the Clipper 
Chip,” where he noted that the solution’s name was well chosen, “as 
it clips the wings of individual liberty.” 

Tim May often expounded a theory that Americans are of two 
minds when it comes to privacy. One involves the public interest and 
was essentially anticrypto: “What do you have to hide?” The other 
expresses the individual ethic of the Bill of Rights, and is proprivacy: 
“None of your business.” Any successful policy has to walk down the 
middle of those opposing sentiments. But Clipper, in its insistence that 
nothing should be hidden from the government, never established that 
balance. Once people began calling it the Big Brother Chip, the game 
was over. 

The government did its best to defend the scheme. Stewart Baker 
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briefed industry figures including crypto advocate Bill Gates, to little 
avail. He went into the lion’s den, speaking at procrypto events like the 
Computers, Freedom, and Privacy conference — where he belittled the 
anti-Clipper forces to their faces, calling their actions, “the revenge of 
people who couldn’t go to Woodstock because they had too much trig 
homework.” He taunted them with the “If you knew what I know” 
argument. Your view of privacy, he told them, reflects a hopelessly 
naive view of the world. “By insisting on having a claim to privacy that 
is beyond social regulation, we are creating a world in which [crooks 
and terrorists] will flourish and be able to do more than they can do 
today,” Baker warned. 

Not all the news was bad for the government. In the summer of 
1993, the Skipjack algorithm was deemed strong by the team of 
“independent experts” led by Dorothy Denning and including Walt 
Tuchman (who had led IBM’s DES team) and Ernie Brickell (who had 
picked up the $1000 reward for cracking Merkle’s multi-iteration 
knapsack cipher) . Denning had become so fierce in her defense of the 
government, clearly articulating a position that posited the dangers of 
crypto anarchy, that critics were calling her “Clipper Chick.” Her dis- 
interested status made her more effective in public forums than the 
administration’s battered tech squad, which was beginning to regard 
its appearances at Internet -related conferences with all the enthusi- 
asm of dental surgery. Who could blame them, as question after ques- 
tion drilled in the reality that their natural constituency of tech- 
sawy “Netizens” now saw them as virtual brownshirts? The White 
House’s Mike Nelson came to refer to crypto as “the Bosnia of tele- 
communications . ” 

Still, Clipper seemed cursed. At every turn a new problem cropped 
up. For example, not long after the announcement of the plan, the 
government heard from an MIT professor named Silvio Micali. 
Micali, who worked in MIT’s mathematics and cryptography group 
(led by Ron Rivest), had devised some mathematical protocols he 
called “Fair Cryptosystems” that seemed similar to the government’s 
key escrow scheme. He had published a paper on them in 1992 and 
had gotten a patent for them. The government quietly paid Micali a 
million dollars to license his patent. 

Even the chip’s name proved to be a problem. “Clipper was our 
cover name, a la NSA normal operations,” Brooks wrote in an early 
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1992 memo. “I tried to get people not to use this outside the agency, 
but the policy makers and their staffs found it so convenient to use that 
it stuck.” Unfortunately, a company named Intergraph was already 
selling a microprocessor it called Clipper, and the United States had to 
pay a considerable sum to buy the rights to a moniker that was well on 
its way to what marketers call a brand disaster. 

Other problems were purely technical. The chipmaker Mykotronx 
was a government and commercial contractor unaccustomed to the 
demands of the consumer marketplace, and its chip wasn’t built to 
accommodate high-bandwidth data rates. In its haste to get the Clip- 
per Chip into the AT&T phones, the NSA had created a product that 
might have been adequate for the communications technology of 1993 
but was woefully inefficient for the high speed of information flow in 
the glistening future that would arrive, oh, two years or so later. In 
other words, as critics noted with withering irony, by the time a secu- 
rity company took the fifteen to eighteen months to build a product 
around Clipper, the hardware would be obsolete. 

Did anyone like Clipper? As part of the process, NIST had been 
required to solicit public comment on the plan. Three hundred and 
twenty individuals and organizations responded; of those, only two 
agreed with Clipper. “This is not a Hall of Fame batting average,” 
conceded NIST official Lyn McNulty. 

But the Clinton people would not budge. On February 4, 1994, the 
president formally endorsed Clipper — known as the Escrow Encryp- 
tion Standard — as a Federal Information Processing Standard. The 
government would immediately start buying Clipper-equipped AT&T 
phones for its own use, escrowing keys with NIST and the Treasury 
Department. (This despite the fact that the technology did not yet 
actually exist to perform decryption of keys retrieved from the as -yet - 
nonexistent escrow facilities.) 

“The War is upon us,” wrote Tim May. “Clinton and Gore folks 
have shown themselves to be enthusiastic supporters of Big Brother.” 

In the Senate, Patrick Leahy, among others, vowed to fight Clipper, 
insisting that without congressional approval the project could not 
be funded (setting up the program would cost $14 million, with an 
annual $ 1 6 million budgeted for the escrow facilities) . In May 1 994 
he held hearings. In rare public appearances, Clint Brooks and Mike 
McConnell presented the view from behind the Triple Fence, essen- 
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daily congratulating the administration for taking the right approach. 
“There are, to be sure, issues to be ironed out,” concluded McConnell. 
“But I am confident we will work out the wrinkles.” 

Then a panel of opponents showed those “wrinkles” to be approxi- 
mately the size of the Colorado River basin. 

One tough question they posed: Who would want to use Clipper, 
when there were already programs like PGP readily available? The gov- 
ernment’s response had been the “stupid crook theory,” best explained 
by the FBI’s Jim Kallstrom, who professed to have himself heard mob- 
sters on wiretaps make jokes about being wiretapped — and then 
engage in incriminating conversations, simply because it was too awk- 
ward to go outside and use a pay phone. “If in five years this catches 
on and people put Clipper in their devices, a high percentage of crim- 
inals will go to a Radio Shack or some other place like that to buy 
some sort of encryptor,” he said. “They’re not going to remember that 
in 1 994 some article [appeared] in the Wall Street Journal [about key 
escrow]. Maybe in the fine print somewhere it’ll say Clipper some- 
thing. But it’s not going to be readily apparent — it’ll be part of the 
landscape. That’s what would be our desire.” 

OK, so stupid crooks might use it. But the antigovernment wit- 
nesses noted that if smart criminals eschewed Clipper, so would the 
overseas customers who were crucial to its adoption. What was in it 
for France or Japan or Indonesia to sign on to a plan where the keys 
to their citizen’s private conversations — possibly involving invaluable 
business secrets — were held jointly by two branches of the United 
States government? 

Perhaps the most persuasive witness was Whit Diffie. He testified 
not only as one of the inventors of public key but as a representative 
of one of the ad hoc organizations lobbying against Clipper, the Digi- 
tal Privacy and Security Working Group. Diffie tried to put the issue 
into historical perspective. Governments had been similarly concerned 
with previous revolutions in telecommunications, like the transatlantic 
cable and the advent of radio. Despite fears that governments would 
lose sovereignty, these developments turned out to prove tremen- 
dously useful to governments. Computer communications, too, would 
probably, on the whole, increase government power. But the United 
States seemed loath to allow any of that power to accrue to its citizens. 
While the government claimed only the desire to retain its current 
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ability to wiretap, the fact was that during the time of the founding 
fathers, privacy was easily obtained simply by walking out of the 
earshot of others. “It seems that the right ... of the participants to 
take measures to guarantee the right to speak privately can hardly have 
been in doubt, despite the fact that the right to speak privately could 
be abused in the service of a crime,” said Diffie. Today, of course, peo- 
ple communicate largely by electronic means, from the telephone to 
the computer. Could it be that the government has the right to deny 
the possibility of privacy in those conversations? “The legitimacy of 
laws in a democracy grows out of the democratic process,” Diffie told 
the senators. “Unless the people are free to discuss the issues — and 
privacy is an essential component of many of those discussions — that 
process cannot take place.” 


Not long after the Senate hearings, Clipper suffered perhaps the worst 
blow of all. It came not as a tirade in Congress, an attack by an indus- 
try representative, or a screed from a cypherpunk. It was the result of 
a scientific experiment conducted by a formerly obscure research sci- 
entist named Mathew Blaze. Essentially, he made the Clipper Chip 
look stupid. 

Blaze was a New York kid, a classic science nerd. He’d dropped out 
of a preppy private school, worked for a while as a paramedic (the first 
person hired by the city’s emergency medical service without a driv- 
er’s license), then drifted back to college, earning a degree in two 
seemingly incompatible sciences: computer and political. At graduate 
school at Columbia, he began seriously thinking about crypto. Talking 
to his officemate, a guy named Stuart Haber, who had devised a way 
to use public key to time -stamp documents digitally (providing an 
electronic equivalent to the old trick of postmarking a letter to affirm 
its age), he realized that crypto was both a way to tackle important 
mathematical problems and a practical lever to change society. Blaze 
was also a big believer in privacy rights. 

After switching to Princeton and getting a Ph.D., he went to 
work for the small crypto group at AT&T’s Bell Labs research facility. 
Blaze began working in areas of encryption other than algorithms. His 
group was more concerned with basic research than AT&T’s secure 
system group in North Carolina, which had produced the TSD 3600 
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device that was slated to be the Clipper phone. In fact, he found out 
about Clipper by reading the newspaper like everyone else. 

But as the Clinton administration was readying its February 1994 
endorsement of the escrow standard, it had initiated a series of tech- 
nical briefings that included the Bell Labs crypto group. Several NSA 
scientists came to New Jersey for a briefing. Though the group could 
generally be described as anti-Clipper — besides the privacy implica- 
tions, as cryptographers they were offended at the security risks of 
sending a key to a third party — “we managed to be on our best behav- 
ior,” says Blaze, “not letting the meeting degenerate into whether this 
is a good idea.” Afterward, he asked if he could post a summary of the 
meeting to the Internet, and Blaze stuck to the facts in that as well. 

This impressed people behind the Triple Fence, who apparently 
thought Blaze could be another valuable outside tester of Clipper tech- 
nology. They invited him and a colleague to Fort Meade to get a proto- 
type of Tessera, the smart-card-based version of the escrow system. 
(Tessera was to be a portable version of the whole -enchilada Capstone 
cryptosystem that Clint Brooks favored over the limited Clipper Chip.) 
Never having been there, Blaze was excited. He was given the standard 
visitor’s badge with a sensor that tracked him through the building: 
when his host took him through he had to keep facing security cam- 
eras and assuring some unseen guard that Blaze was with him, and a 
disembodied voice said, “Okay, thank you.” Even between the briefing 
room and the bathroom this happened a couple of times. “They didn’t 
actually follow me into the bathroom,” Blaze says. When the Bell 
researchers left, they were given Tessera cards, a stack of manuals, and 
NSA coffee mugs. 

Blaze immediately began testing the system, focusing on the Clipper 
aspects of the device. Unlike Dorothy Denning’s team, which had 
focused on Skipjack, Blaze wondered whether there was a way to 
actually use the strong encryption while defeating the escrow feature. 
In other words, could a crook, terrorist, or someone just wanting pri- 
vacy use Clipper’s crypto without being identified? He focused his 
efforts on studying the Law Enforcement Access Field. “I wasn’t even 
thinking of it as a potential weakness,” he says. “But it turned out that 
the obvious way of defeating the LEAF was pretty much the first thing 
you would initially think of.” 

Using a card reader and a little program that simulated a wiretap. 
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he began testing. The simplest things — altering the code so you 
wouldn’t send the identifier, or sending some other number in place 
of the identifier — didn’t work. But it took only a bit of thought to 
come up with slightly more complicated ways that did work. The 
breakthrough came when Blaze, poring over the manuals, noted that 
the “checksum” in the LEAF was only 1 6 bits long. (The checksum is 
the way to verify that the proper LEAF, including the chip identifier 
and session key that encoded the conversation, was indeed sent off to 
the authorities. The proper number in the checksum is like an “all’s 
clear” that says everything is OK. If there was some way of creating a 
counterfeit LEAF with a legitimate checksum, in effect you would 
have defeated the Clipper system. The encryption would work, but 
the wiretappers wouldn’t have the proper session key to decrypt the 
conversation.) 

“Sixteen bits isn’t a very big number these days, computationally,” 
Blaze says. Within a few hours he hacked up a “LEAF-blower,” a 
quick program that could send out every possible combination (2 to 
the 16th power) of checksum numbers, then hooked it to his test sys- 
tem. He really didn’t expect it to work — it seemed so easy. But it did 
work, each time he tried it. In no more than forty-two minutes, he was 
able to send out a checksum that spoofed the escrow system into mis- 
takenly assuming he was sending out the data that could lead investi- 
gators to the escrowed key — when in fact that data would lead them 
nowhere. Instead, the wiretapper would be faced with a conversation 
encrypted by the powerful Skipjack algorithm, deemed uncrackable by 
the NSA itself. (He also found a way in which two people conspiring 
to defeat the LEAF system could do so even more quickly.) 

What Blaze did not know was that the small checksum space was no 
accident but an artifact of the haste with which Clipper was prepared. 
During the hurried design process the NSA engineers consulted with 
various technical experts at telephone companies, and were warned 
that with wireless phones, any system that required transmission of 
too many bits would be deemed impractical. So the LEAF field was 
limited to 128 bits. Of that, 32 bits had to be used for the chip iden- 
tifiers, leaving only 96 bits for an actual encryption key and the check- 
sum. The NSA wanted a large checksum, but the FBI insisted on using 
80 bits so the full session key would be transmitted. (An alternative 
may have been to leave off some of the key bits and allow the FBI to 
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complete the decoding by a brute-force attack. If, for instance, eight 
bits had been diverted from the keyspace to the checksum, the FBI 
could have run through a mere 256 different alternatives to find its 
key — but Blaze’s attempt to crack the checksum would have taken not 
42 minutes, but more than a week. That’s a long time on hold.) 

In a few days, Blaze sent a draft paper of his findings to his col- 
leagues at Bell Labs. Most of them couldn’t believe it. “Are you sure 
about this?” they asked, suggesting he recheck his work. He did. Then 
he began the more delicate process of checking it with outsiders. One 
morning Blaze girded himself and sent a fax of his draft to Fort 
Meade. Right after lunch he got a call back, affirming his results were 
technically correct. 

“What are you planning on doing with this?” asked his NSA 
contact. 

Blaze took a deep breath. “I’d like to publish it.” 

To his surprise, no objection was raised. His NSA reader did point 
out a couple of errors in numerical transcription and one grammatical 
error. Now all Blaze had to do was get an okay from his employer — 
who had millions of dollars riding on its Clipper phones. Though there 
were some who wanted to bury the paper, eventually Blaze managed 
to convince his bosses that it would be impossible to keep his findings 
secret, so they shouldn’t even try. In any case, John Markoff of the 
New York Times had already gotten wind of the work. Blaze got per- 
mission to send him a draft, so that whatever story ran would be accu- 
rate. Markoff called back for some clarification and a few hours later 
called back again and asked Blaze a strange question: how news- 
worthy did he consider the story? Blaze felt that it was indeed a 
story — it showed how rushed the NSA was to get its system out, and 
emphasized how dangerous it was to foist something half baked on the 
public — but not a front-page story or anything like that. Not long 
afterward, Markoff called again, almost apologetically, and said that it 
had been a slow news day so the story was going to be more promi- 
nently placed. Blaze figured that meant it would lead the business 
section. 

He’d heard that you could get the next day’s paper at 9 p.m. if you 
went to the Times Building, and he was curious enough to do so. After 
opening the paper, he went through it and was disappointed to find 
nothing. “It hadn’t occurred to me to even look on the front page until 
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I had gotten out of the building.” But there it was — leading the entire 
paper on the sweet spot in the rightmost column of page one, head- 
lined “flaw discovered in federal plan for wiretapping.” 

This was significant in several ways. First, though the flaw itself 
could be fixed — and arguably didn’t compromise security much — the 
very fact that such a weakness existed put a permanent taint on a sys- 
tem dependent on public trust. But perhaps more important was that 
the former backwater, mumbo-jumbo subject of crypto had raised its 
profile so high that even a moderate development like Blaze’s crack 
could be seen by the Times editors as the most important story in the 
world that day. What made this dry topic sexy was the whiff of a Big 
Brother who couldn’t even program correctly. The government unin- 
tentionally played into that role when an imperious NSA official 
insisted that Blaze’s attack, while feasible, was unlikely in practice — 
not a particularly comforting assurance for the nation’s cryptographic 
caretaker. Much stronger was Marty Heilman’s assertion, “The gov- 
ernment is fighting an uphill battle.” 


Meanwhile, after some initial supply problems, the government was 
already starting to use Clipper phones. (The more comprehensive Cap- 
stone chips, designed to escrow computer communications, were late 
in entering the pipeline.) Approximately once a week, four couriers 
with security clearance — two each from NIST and the Treasury 
Department — flew from Washington, D.C., to Torrance, California, to 
the so-called programming facility at Mykotronx headquarters. (The 
redundancy was intentional, conforming to the Two -Person Integrity 
Protocol also used for nuclear weapon controls.) Once inside they 
waited while a Sun workstation did its work, first generating the 
unique cryptographic keys that would be blown into the MYK-78 
(Clipper) chips, then splitting the keys into two parts and creating two 
stacks of floppy disks, each one with a set of partial keys. To recon- 
struct the full keys inside the chips required both sets of disks. 

Backup sets were produced by the same method. Then the disks 
were separated, each one going with a pair of couriers. A plastic seal 
went over the disks. When the couriers returned to their respective 
agencies, the disks were placed in double -walled safes meeting gov- 
ernment standards for classified materials. A set of the backups went 
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in another safe. And there they waited, about 20,000 key splits by May 
1994, sitting undisturbed while the war over Clipper continued. 

In late January 1994, the Computer Professionals for Social Respon- 
sibility had written a letter to the president urging that he rescind the 
Clipper proposal. It was cosigned by privacy experts, industry figures, 
academics, and cryptographers, and supplemented by signatures gath- 
ered over the Internet. Within a few months, the petition — one of the 
first Internet political protests — boasted over 47,000 endorsers. While 
a skeptic might dismiss this as a result of overheated Net-heads, a New 
York Times/ CNN poll showed that the government had clearly suffered 
a Custer-sized rout in the public relations arena. Eighty percent of the 
American public now opposed Clipper. 

Not that it did any good. The administration was betting that the 
export regulations would prevent strong crypto from being built into 
products that people routinely used, and key escrow would be the only 
game in town. But Congress had the power to change those regula- 
tions. And pushing hardest on the issue was a thirty-eight-year-old 
single woman in her first term in Congress. 

Maria Cantwell was a daughter of an Indiana politician. She’d 
moved to Washington State in her twenties, served in the legislature 
there, and in 1992 pulled off a successful run for the House. Her 
district, consisting of part of Seattle and the towns east of Lake 
Washington, was loaded with high-tech companies, from Nintendo to 
Microsoft. So when choosing a committee to serve on she focused on 
one of the software industry’s main concerns, exports, and requested 
the Foreign Affairs Committee — specifically, its subcommittee on eco- 
nomic policy, trade, and environment. 

She’d hardly gotten familiar enough with the House to find the 
cloakroom when the Clipper announcement hit. It infuriated her big 
high-tech constituents, and she began to look more deeply into the 
problem, particularly at the export regulations. She worked closely 
with the affected software companies, not only those in her district like 
Microsoft but others like Lotus. The more she learned about the 
export regulations of crypto, the more absurd they seemed in the com- 
puter age. They can’t be so myopic to think cryptography is a munition, 
she’d say to Sam Gejdenson, the subcommittee chair and one of her 
legislative mentors. If they continue, you won’t be able to get protection 
on the Internet. 
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Meanwhile, the export situation was at a standstill. In 1 992, some 
of the leaders of the new industry, like Lotus’s Ray Ozzie and 
Microsoft’s Nathan Myhrvold, had spent an incredible amount of 
energy negotiating a deal with the NSA. The talks were a classic cul- 
ture clash. The software guys thought it absurd that government was 
attempting to contain bits of code within national borders, when algo- 
rithms with the same ciphers were openly published in countries from 
Germany to Russia. It was the worst sin among nerds: illogical behav- 
ior. Or was it? “Don’t you realize,” Myhrvold once asked one 
of the spooks in a briefing session, “that you’re like the little Dutch 
boy, trying to use your fingers to plug the dike against a sea of strong 
crypto? ” 

His tormentor smiled. “Every day the dike doesn’t break,” he said 
softly, “is a victory.” And it was true. Sure, the crypto genie had 
escaped the bottle. But if you throw enough obstacles in the genie’s 
way, it’ll take him a long time to perform any magic. 

Finally, all that energy resulted in a temporary compromise. Work- 
ing with an industry group called the Software Publishers Association, 
the companies got an agreement for “expedited consideration” when 
they exported software programs sold in shrink-wrap to retail cus- 
tomers. The requirement was that the encryption in those products 
would be Ron Rivest’s ciphers RC-2 or RC-4, using keys of no more 
than 40 bits. This would allegedly be increased in subsequent years to 
keep pace with faster computers. In exchange, the NSA got some 
restrictions of its own. The regulation would not be formalized in an 
explicit standard. RSA and the companies using the cipher had to 
agree to keep the details of its design a secret. 

But no one particularly liked that deal. Companies had two choices. 
They could, like Lotus, offer American customers a version with strong 
(64-bit) encryption, and a weaker version for export. Then foreign cus- 
tomers would wonder why their software had second-class crypto — 
and sometimes, buy other products. Ray Ozzie claimed that it was 
already happening with Lotus. (He called the 40-bit limit espionage- 
enabled encryption.) Or, like Microsoft, they could avoid the hassle of 
manufacturing and shipping two versions and give everyone weak 
encryption. Meanwhile, hard-liners in the government felt that by 
green-lighting an export exemption, no matter what the key length, 
they were on a slippery slope toward strong crypto. Give the Lotuses 
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and the Microsofts 40 bits now, and tomorrow they’re at your door 
demanding 48 bits, and more. 

But when Cantwell and Gejdenson went to the White House to urge 
movement toward export of stronger crypto, they hit a brick wall. The 
Clinton people held firm. 

In October 1993 Gejdenson and Cantwell held a subcommittee 
hearing to draw attention to the problem. “This hearing is about the 
well-intentioned attempts of the National Security Agency to control 
that which is uncontrollable,” said Gejdenson. He was talking about 
export regulations, but he might have been talking about something 
else — the support from Congress that Fort Meade once took for 
granted. While the majority of legislators accepted the NSA’s con- 
tentions at face value, a cognitive dissonance was emerging between 
its arguments and what appeared to be a more compelling view of 
reality. Cantwell put it clearly in her own opening statement: “We are 
here to discuss, really, competing visions of the future.” On one hand 
was a mind-set so locked into Cold War posturing that it ignored the 
inevitable. On the other were the techno -visionaries who powered our 
future, eager to fortify American ascendancy in a global marketplace. 

The hearing’s first witness was Ray Ozzie, who had come prepared 
with a software demo. He had a screen connected by phone line to his 
computer in Massachusetts, which he used to venture onto the Inter- 
net and download one of “hundreds of thousands” of copies of imple- 
mentations of DES available overseas. He chose one in German, and 
downloaded it into his machine within seconds, as anyone in the world 
could do. But, he noted, if he were then to send the same software 
back to Germany, he would be guilty of the federal offense of export- 
ing strong crypto. 

Next was Steve Walker, a former NSA official who now headed 
Trusted Information Systems, a consulting firm helping businesses 
implement crypto. He presented the results of a Software Publishers 
Association study that identified 264 cryptographic products pro- 
duced overseas, 123 of which employed DES. Foreign individuals and 
companies could buy any of these, but not similar products created by 
American firms because the NSA would not permit their export. “It 
cannot be clearer,” he said. “The existence of widespread and afford- 
able cryptographic products overseas is an indisputable fact ... the 
U.S. government is succeeding only in crippling a vital American 
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industry’s exporting ability.” He then cited specific examples of busi- 
ness lost by American companies, like one firm that lost half of its 
European customers because it could not provide them strong crypto- 
graphic security. 

Phil Zimmer mann gave testimony that trying to restrict cryptogra- 
phy is like attempting to “regulate the tides and the weather.” Don 
Harbert, an executive of Digital Equipment Corporation, insisted that 
“U.S. export controls on encryption must be brought into line with 
reality.” 

One of the committee members who had not been previously vocal 
in challenging the government, a conservative Californian named 
Dana Rohrbacher, noted for the record that if it were five years ear- 
lier, he would have chastised the witnesses for seeking profit at the 
potential loss of national security. But now, he said, “the Cold War is 
over. It is time for us to get on.” 

After the public session, security experts swept the room for bugs 
before the inevitable follow-up hearings involving the interests of the 
National Security Agency: The Briefing, “where the NSA answers all 
those questions in secret,” said Gejdenson. NSA briefings were notori- 
ous in Congress. They involved a dramatic presentation by the NSA on 
why our international eavesdropping abilities were so vital, typically 
including a litany of victories achieved by clandestine snooping (victo- 
ries that would have been unthinkable without billions of dollars in 
funding), and perilous international situations that required continued 
vigilance and support. Perfected by Bobby Ray Inman in his days 
as NSA director, they initiated legislators into the society of Top 
Secret, implicitly shifting their alliance from the citizenry to the in- 
telligence agencies. A newly cleared congressperson would get a 
presumably unvarnished and reportedly terrifying dose of global 
reality, after which he or she thereafter could be assumed to dutifully 
support any demands of the National Security Agency, lest the Huns 
gain a purchase on our liberty. Representatives and senators had been 
known to venture into the bug -swept room and emerge grim faced, 
stunning their go-go staffers by remarking, “Well, maybe we should 
reconsider.” 

Not Maria Cantwell. She was among a growing number of legisla- 
tors who found The Briefing impressive but not persuasive. The issue 
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for these skeptics wasn’t just how important crypto was, or what suc- 
cesses we’d had breaking codes, but whether maintaining export rules 
was actually productive. If the genie was out of the bottle, so what 
if American companies couldn’t export? Crooks would get crypto 
elsewhere! 

Cantwell began to prepare a legislative remedy. In 1 994 the Foreign 
Affairs Committee was already planning its periodic overhaul of the 
export regulations. She prepared H.R. 3627, “Legislation to Amend 
the Export Administration Act of 1979,” a bill adding a new sub- 
section to the old rules, with specific implications for software exports, 
including encryption. It would move the decision-making process 
from the Department of Defense to Commerce, and would essentially 
make shrink-wrapped or public-domain software exempt from export 
regulations. It would put an end to the NSA’s game of controlling 
American crypto by use of the export laws. 

Naturally, the administration could not let that stand. When Cant- 
well was ready to introduce the bill, her staff notified her of an incom- 
ing phone call — from the vice president. The only previous time she 
had engaged A1 Gore in a one-on-one had been during the budget bat- 
tle, when Cantwell, despite severe reservations, had supported the 
administration (and would eventually wind up losing her reelection 
campaign in part because of it) . What did he want this time? 

“I want you to stop this bill,” he said. He reiterated the stuff from 
the briefings about national security and all that. 

Cantwell held firm. “I’m sorry, Mr. Vice President,” she said. “I 
respect your opinion but I’m not changing my mind.” 

In a way, that was a turning point for Maria Cantwell. She got the 
bill through the subcommittee and kept pressing, even though fellow 
committee members were already trying to get her to drop the thing. 
Even before she left the hearing room after the vote — she hadn’t even 
gotten up from her chair — one representative came up to her and said 
outright, “If you don’t stop this it’s going to get very ugly.” And Maria 
Cantwell said to herself, “I’m not stopping.” 

On November 24, 1993, Cantwell introduced H.R. 3627 on the 
House floor. Her comments were blunt. “The United States’ export 
control system is broken,” she said. “It was designed as a tool of 
the Cold War, to help fight against enemies that no longer exist. The 
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myriad federal agencies responsible for controlling the flow of ex- 
ports from our country must have a new charter, recognizing today’s 
realities.” 

The pressure continued, though most members were collegial in 
their attempts at persuasion. There was one instance in which a fellow 
Democrat came up to her on the floor and began berating her for 
ignoring national security issues. She felt intimidated but more than 
ever was convinced she should go on. With all the forces lined up to 
bolster these bizarre export laws and the silly Clipper Chip, it struck 
her as an exercise in unchecked power — against consumers. 

Still, she knew that on this issue she was out there. Though she was 
doing yeoman service for the techies she represented, most of her con- 
stituents in Washington State’s First Congressional District preferred 
her to be concentrating on issues such as health care, and here she 
was, locked in meetings with National Security Advisor Tony Lake. 
One day she heard that Bill Gates would be in town. So she asked the 
people at Microsoft who had been working with her — Nathan 
Myhrvold and company counsel Bill Neukom — if they could convince 
the world’s most famous techno-geek to lobby her colleagues on the 
matter. I’m out on a political limb here, she pleaded. Without public- 
ity, she had Bill Gates address the intelligence committee. The 
National Security stooges started to explain to the billionaire how 
important the export laws were, but the icon of the New Economy had 
little patience for being lectured. Gates let them know that was a bull- 
shit reason. The committee members didn’t get offended — it was kind 
of a kick, getting snapped at by the world’s richest guy. You certainly 
had to take him seriously when he talked about what was good for 
business. 

Cantwell dug in her heels with the White House, too. She asked 
them not to fight her bill, but to let it take its course in Congress. The 
response was unexpected, and it came two days before the vote. It was 
a deal. If we change our position, the Gore people wanted to know, 
would you drop the bill? They suggested that instead of forcing the 
Clipper Chip on people, they would instead advocate a different vol- 
untary key escrow scheme. And maybe it could be based on more flexi- 
ble software implementations than that already antiquated chip. And 
maybe, instead of only government escrow facilities, some could be in 
the more-trusted private sector, like banks or security companies. 
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A significant retreat, but it was still an escrow scheme, not at all the 
ultimate solution that Cantwell and her constituents wanted. On the 
other hand, the chances of her bill passing were equivalent to that of 
Microsoft’s shipping an operating system without bugs. (Even then it 
would face a near-certain veto.) Cantwell went back to the people who 
had been fighting the battle long before she switched Washingtons. 
Bruce Heiman of the industry group called the Business Software 
Alliance was encouraged that the administration was giving a frame- 
work for a compromise. Nathan Myhrvold straight out celebrated. 
“They blinked,” he later said. All of Cantwell’s advisors agreed, though, 
that before she stood down, she should get promises in writing. 

On July 20, 1994, the afternoon before the vote, the letter from A1 
Gore arrived. After the usual flatulence (“I write to express my sincere 
appreciation for your efforts to move the national debate forward . . .”) 
Gore got to the point. 

The administration understands the concerns that industry 
has regarding the Clipper Chip. We welcome the oppor- 
tunity to work with industry to design a versatile, less 
expensive system. Such a key escrow system would be 
implementable in software, firmware, hardware, or any 
combination thereof, would not rely on a classified algo- 
rithm, would be voluntary, and would be exportable. . . . 

We also recognize that a new key escrow encryption system 
must permit the use of private -sector key escrow agents as 
one option. 

Apparently, the White House figured that the exercise was simply a 
way to quiet a potential firestorm. (Later in the summer, a Defense 
Department official seeking clarification on the implications of the 
policy shift was told that the letter was intended “to placate Rep. 
Cantwell and avoid a national debate.”) But when the contents of 
Gore’s missive found their way to the front page of the Washington 
Post the next day (a slight embarrassment for Cantwell, who didn’t 
want to look like she was showboating), the Gore people rediscovered 
that the Bosnia of telecommunications was as thorny as ever. The 
White House had made its promises without clearing them with the 
NSA or the FBI. (The first Clint Brooks had heard about it was the day 


268 | crypto 


it ran in the Washington Post.) Cantwell got a call from a Gore person. 
Do you mind, he asked, if we, um, rescind the letter? 

“Do you know how silly you’d look?” she replied. It was, after all, 
Gore’s letter, Gore’s words. She promised that she wasn’t out to milk 
the incident with the press, but the news was out there, and she didn’t 
have the authority to let him rescind the agreement. So the deal stood. 
Cantwell dropped her bill, though in the next few years it would be 
only the first of a number of increasingly popular congressional initia- 
tives to reform the export rules. Meanwhile, the Gore letter, whether 
intentional or not, was essentially a blueprint for the direction that the 
administration would take in tinkering with their ill-fated Clipper 
Chip. A step backward. A rejection. Another step backward. Stalling 
and confusion, while the great honest debate that Clint Brooks had 
envisioned about a national crypto policy never did come to the fore- 
front. Meanwhile, the platform that Brooks considered absolutely 
essential — a full encryption solution to protect privacy, a policy that 
would generate a pervasive digital signature policy to empower elec- 
tronic commerce and prevent electronic forgeries, and access for law 
enforcement — never did get straightened out. 

Clint Brooks himself wanted out of the struggle. After a couple of 
years of driving back and forth from Maryland to D.C., having the 
same arguments with the same people, he asked the new NSA direc- 
tor if he could work on something that utilized his talents more effec- 
tively. His request was granted. Nirvana was lost. 
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b y 1995 , it was clear that the field of cryptography — as well as its 
reach — had dramatically changed, despite the government’s best ef- 
forts. Crypto, propelled by computer power and new discoveries by the 
Whit Diffies of the world, was moving at a turbocharged pace, shifting 
from Pony Express to Internet time. But the basic principles remained. 
Despite the increasingly invoked specter of crypto anarchy — where 
codes would proliferate unchecked, to the point where no government 
or institution could even hope to get a handle on digital commerce or 
law — the ancient clash of measure and countermeasure persisted. 
Only now the outsiders had a hand in the game. 

Over a century before, Edgar Allan Poe, who had been nearly obses- 
sive on the subject of cryptology, wrote, “It may roundly be asserted . . . 
that human ingenuity cannot concoct a cipher which human ingenu- 
ity cannot resolve.” Mathematically, of course, Poe was wrong; the 
verifiably impenetrable one-time pad was a firm “nevermore” to his 
claim. But implementing a one-time pad was demanding; certainly it 
was inappropriate in large-scale settings. So on a practical basis, 
was the poet’s claim correct? When Martin Gardner had cited Poe’s 
quote in his famous Scientific American article about RSA, he had 
thought not. 


270 | crypto 

The question certainly bugged Phil Zimmermann. In his heart, he 
felt that the encryption algorithm at the center of his PGP software 
was sound. In naming his program, he felt that “pretty good” was an 
understatement: users should be able to count on its imperviousness 
to codebreakers. The government, at least publicly, hinted that PGP 
was strong, too. In the spring of 1995, Louis Freeh of the FBI and 
William Crowell of the National Security Agency had testified in a 
classified congressional briefing about the difficulty of breaking crypto 
with long key sizes. Freeh complained, “We don’t have the technology 
or the brute-force capability to get to this information.” Crowell went 
even further. Citing current personal computer technology, he said 
that to crack “128-bit cryptography, which is what PGP is . . . would 
[take] 8.6 trillion times the age of the universe.” 

But Zimmermann knew that a brute-force attack on IDEA (Inter- 
national Data Encryption Algorithm) was not the only way to gut 
his cipher into something that could be called “Pretty Good Try at 
Privacy.” There were countless ways to crack a code. Maybe through 
stronger factoring algorithms and dedicated hardware a super- 
computer could make much faster work of the public key part of the 
program. Or, even more likely, there could be quirks in the details of 
PGP’s implementation that would provide a cryptanalyst with a pre- 
cious shortcut to plaintext. 

As it happened, one evening at the 1995 crypto conference at Santa 
Barbara, there was a cocktail party alfresco, and late in the evening a 
few cryptographers, decked in traditional garb of T-shirts and sandals, 
gathered around one of the event’s keynote speakers. He was Robert 
Morris, Sr., and until recently the only crowds he’d addressed were 
those authorized to receive U.S. government secrets. He had just 
retired as a top scientist at Fort George Meade. Morris’s reputation — 
enhanced by the unknowable feats he may have accomplished in the 
service of spookdom — drew a small crowd to his table. And when 
Morris mentioned that he wouldn’t mind meeting Phil Zimmer- 
mann, the neatly bearded forty-one-year-old was quickly called over. 

“Phil, let me ask you a question,” said the former intelligence man, 
puffing aggressively on a cigarette. “Say that someone used PGP for 
very bad stuff. How much would it cost us to break it? ” 

Zimmermann seemed flustered. “Well, I’ve been asked that before,” 
he said. “It could be done.” 
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“But how much would it cost us?” 

It was far from Zimmermann’s favorite subject, but he played 
along. He conjectured that the best attacks on PGP would not be on 
its key size but on other weaknesses. Its data structure could be 
troublesome, he admitted, its error correction poor. 

Morris nodded and said nothing. He’d been playing with Zimmer - 
mann. Who the hell knew if the NSA had already unearthed some ele- 
mentary flaw that enabled the acres of silicon in its vaunted basement 
instantly to cough up the plaintext of the freedom fighters who 
allegedly used Zimmermann’s program? But the next day in his talk, 
Morris implicitly provided a commentary on the new cryptographers 
and their crypto-anarchist visions. He revealed no trade secrets. But 
somewhat in the spirit of the Eastern masters, Morris did present a 
pair of truisms — koans of the crypto faith — that pointed toward an 
eventual rapprochement between the Equities, one beyond the current 
political struggles. A glimpse of a post-Clipper society in the century 
to come. 

Koan One (for codemakers): never underestimate the time and 
expense your opponent will take to break your code. The inner text of 
the Morris speech was that cryptography is best left to those of a para- 
noid mind -set, those who believe beyond question that their opponents 
just may be very rich, very clever, and very dedicated — hellhounds on 
the trail. They will launch powerful frontal assaults on your codes. And, 
often, they will win. 

Koan Two (for codebreakers) : look for plaintext. This was reas- 
surance to the crowd that no matter how baffling the task of code- 
breaking might seem, the fact is that very fallible human beings are the 
ones who must employ these sophisticated systems. So sometimes, 
when one least expects it, a seemingly impenetrable code — the jumble 
of ASCII confetti one must hammer into human language — might 
have a passage, or an entire message, somehow unencoded. In that 
case, you could read it as easily as a fortune cookie. 

To the crypto anarchists, Morris was saying, “Hey, it’s not that easy 
to create a cipher utopia.” The ancient game would go on. But by 
imparting the lesson to outsiders he was also tacitly acknowledging 
that the future belonged not just to the NSA illuminati, but to these 
T-shirted longhair s at Santa Barbara as well. 

Morris’s statements came at a time when the tension between public 
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and government crypto was at its height. Further, a novel twist had 
recently been introduced. Some of the emerging crypto forces were 
now well beyond code making and deeply into cryptanalysis. While 
this had been undertaken by the crypto crowd before — most famously 
in the attacks on Merkle’s knapsack scheme — there was now a new 
sort of effort. It did not conform to the traditional rules forged in the 
world of William Friedman or Alan Turing. ... It was an aggregate 
code breaking, a mass effort powered by the amplifying abilities of the 
Net. Its practitioners were, of course, cypherpunks. This breed of 
codebreaker was not interested in crime and espionage, but in making 
a political point and reaping big fun in the process. 

One of the first efforts began with Phil Zimmermann’s PGP soft- 
ware. Long before Morris brought up the question of PGP’s strength 
at Crypto ’95, its users had been plagued by nagging questions of its 
resilience. Their angst reflected the key dilemma of guerrilla cryptog- 
raphy: could you trust software developed without the imprimatur of 
an organization known for secure codes? This was the question that 
Derek Atkins, then a twenty -year -old electrical engineering student at 
MIT, was asking himself in 1992. His initial reaction to Zimmer- 
mann’s program was to join the crusade, and he became part of the 
impromptu development team creating new versions of the software. 
But then Atkins came to wonder what attacks might work against it. 

As Bob Morris indicated in his talk, there are two general ways to 
crack a cryptosystem. The first way is brute force — to try all possible 
solutions until you hit on the right one. The second method involves 
seeking a shortcut, an unintended weakness, which may enable you to 
break the codes. As Atkins spoke to his friends — including Michael 
Graff at Iowa State University and Paul Leyland of Oxford University — 
he decided on the former style of attack. Trying to find a subtle flaw 
was a task beyond his abilities and experience. (Though, as Morris 
implied, it was a route that the NSA had probably attempted.) On the 
other hand, everybody seemed to agree that a direct, and perhaps fea- 
sible, route to cracking PGP would be one that worked against any 
RSA-based program: factoring. 

Rivest, Shamir, and Adleman had understood, of course, that if 
someone figured out a quick way to factor — to determine two origi- 
nal primes from the key based on the product of those numbers — their 
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system was dead meat. But even though they had expected somewhat 
better factoring algorithms to come, they figured that nothing on the 
horizon would make it feasible to break RSA. Atkins and his friends, 
however, wanted to test that proposition. They suspected that by rely- 
ing on a previously unavailable resource — the thousands of com- 
puters accessible to people on the Internet — they might be able to 
make factoring history. This was a fascinating premise, regarding the 
aggregate computing power of Internet users as sort of a giant super- 
computer, perhaps a kludged cousin to the ones that supposedly 
existed in the basement of Fort Meade. They ran the idea past Arjen 
Lenstra, the renowned mathematical expert at Bellcore in New Jersey. 
He told them that the large prime numbers commonly used in PGP (as 
well as the commercial versions of RSA) would be too formidable to 
attack. Then he suggested another challenge: RSA 129. 

Lenstra’s idea cut to the heart of the issue of whether or not cryp- 
tography could ever assure perfect security. The RSA 129 challenge 
was the one offered in Martin Gardner’s Scientific American column 
in 1977 — the column that began by declaring moot Poe’s dictum that 
no code was impervious to cracking. The challenge still had not been 
met in all these years. The estimate of time it would take a dedicated 
supercomputer to factor a number that size was forty quadrillion 
years. But even if you did not accept that number (Rivest now says it 
was a miscalculation) even a much, much smaller number — a billion 
years, say, or a measly few million — would indicate that anyone 
breathing today’s air would have been long rendered into a dust ball 
before the secret of the RSA message encoded with a 129 -digit key 
would be revealed. 

Yet fifteen years later, Atkins, Graff, Leyland, and Lenstra joined 
forces with the Internet to attempt to collect that hundred dollars — in 
a matter of months. 

The first, and probably most important, thing they needed was a 
good factoring algorithm. There had been some conceptual advances 
in this area since Gardner’s column had been published. Specifically, 
someone had devised the “double large prime multiple polynomial 
variation of the quadratic sieve.” This involves searching in a numbers 
realm called vector space for numbers known as univectors. These can 
be combined to chart mathematical relations in a way that yields the 
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two original primes. “You don’t have to search the full space of possi- 
bilities, but only a small finite portion of the space,” says Atkins. “One 
way of looking at it is that we were looking for eight million needles in 
a haystack full of countless needles. You’re not looking for any par- 
ticular needle — you just find enough of them and combine them in a 
special mathematical means to actually factor the number.” That tech- 
nique was perfect for a distributed Internet attack, where literally hun- 
dreds of people would join forces to solve the problem. 

During the summer of 1993, the software was ready — Atkins 
had been running some of it on the MIT Media Lab computers — and 
they could now recruit volunteers with computers. The response 
was terrific: over 1600 machines worked on the problem, all over the 
world, every continent except Antarctica. The computers ranged from 
garden variety PCs to the 16, 000 -processor Maspar supercomputer at 
Bell Labs. 

A standard measurement of computer power is a MIPS year — one 
year of constant use of a Million Instructions per Second machine. 
From September 1993 to April 1994, the RSA 129 experiment used 
about five thousand of those MIPS years. It was then that Atkins and 
the others guessed that they finally had enough univectors to do the 
final calculations. As planned, they sent it to Lenstra at Bell Labs, who 
would then do the final “matrix reduction.” Atkins sent Lenstra a tape 
with 400 megabytes worth of univectors, via U.S. mail. He also sent a 
backup by FedEx. Lenstra fed it to his machines, and for two days they 
matrix-reduced. On April 24, 1994, Atkins posted the following mes- 
sage on the Net: 

We are happy to announce that 
RSA-129 = 

11 4381 6257578888676692357799761 4661 201 021 8296721 242362562561 8429\3 
5706935245733897830597123563958705058989075147599290026879543541= 
3490529510847650949147849619903898133417764638493387843990820577*3 
2769132993266709549961988190834461413177642967992942539798288533 

Applying that key to the number that represented the enciphered mes- 
sage text, they were able to transform it into a similarly long number. 
This was easily converted to English by one of the oldest decoding 
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schemes in history: 01 = A, 02 = B, and so on. That yielded the secret 
that supposedly would last for a quadrillion years: 

THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE 

Did this discovery rock Ron Rivest’s world? Not really. In the years 
since Gardner’s article, he had kept track of developments in factor- 
ing, and had concluded it wasn’t impossible that one day he might 
have to write out a check for $ 1 00 to someone. (Amazingly, he had 
forgotten the actual message.) He even defends Gardner’s prediction 
that a break in our lifetime was extremely remote. “It was probably 
accurate for the analysis of the fastest algorithm we knew about at the 
time, but technology was moving fast on the factoring frontier.” 

But the very idea of a “factoring frontier” was enough to throw 
some doubt into the security of the most popular public key crypto- 
system. After all, if factoring was easy, RSA was, well, worthless. Of 
course, breaking RSA 1 29 was nowhere near as challenging as crack- 
ing RSA codes set at commercial strength. When the RSA system uses 
129 digits, the key turns out to be 425 bits long. But the stan- 
dard RSA key — the one used by the company’s actual software — was 
1024 bits long. Had the Atkins team attempted the same task with that 
key length, their computers would still be working on the problem — 
for a few million more years. 

Yet that degree of futility had once been predicted for RSA 129. 
Might new techniques to factor numbers melt down even the fattest 
RSA keys? There may well be mathematical breakthroughs to speed 
up factoring, but an even greater threat to the strength of the crypto- 
systems was the development of what are called quantum computers, 
machines that take advantage of subatomic physics to run much faster 
than our current models. (Think of the speed differential between 
turtles and laser beams.) While these machines still existed only in 
theory, scientists had been taking the first difficult steps toward imple- 
mentation. Once the journey toward quantum computers was com- 
pleted, you could stick a fork into the RSA cryptosystem. “I think that 
I shall see a special-purpose quantum factorization device in my life- 
time,” cryptographer Giles Brassard wrote in 1996. “If this happens, 
RSA will have to be abandoned.” This was published, of all places, in 
CryptoBytes, the technical newsletter of RSA Data Security. 
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But that remained speculation. The reality is that Derek Atkins and 
his colleagues took what seemed to be an invincible problem and, 
working informally, with an ad hoc collection of computers, managed 
to crack it. “What we learned is that a bunch of amateurs can get 
together and do this,” he says. And that all claims of invincibility 
should be regarded with skepticism. 

The next target was an irresistible one: the 40-bit crypto allowed by 
the government for export. The point this time would be purely politi- 
cal. If the barn-raising style of cryptanalysis used in the RSA crack was 
directed against the puny key lengths negotiated by the Software Pub- 
lishers Association in 1992 (and, despite government promises, not 
adjusted in subsequent years), those keys would surely fall, and the 
need for stronger crypto would be obvious. 

After one cypherpunk suggested a “Key Cracking Ring,” Tim May 
urged action, guessing that the “CPU horsepower of this list could be 
quite impressively applied” to crack the key in six months, making a 
strong statement against U.S. export standards. (Six months was a 
guess. But comparing the computation effort to the RSA’s crack was 
somewhat like apples and oranges — keyspace search versus factoring.) 

“Heh, I was already working on it ... ,” wrote Adam Back, a 
twenty-five-year-old computer science student at Exeter College in 
England. Immediately after seeing the first posting, he’d begun writ- 
ing scripts to allow people to participate in a group crack. He knew 
what he was doing, since he had been recently playing around with 
Rivest’s RC-4 algorithm — the actual cipher that performed the 40-bit 
encryption permitted for export by the government in programs by 
Microsoft and Lotus. 

A brute-force attack on a bulk encryption cipher like RC-4 or DES 
requires the codebreaker to try out every possible key combination. 
Finding a key requires searching through the entire space of possibil- 
ities; in the case of a 40-bit key there are about a trillion actual possi- 
bilities, enough to keep a pack of computers busy for days. That’s 
what Adam Back had in mind: a mass effort with each attacker claim- 
ing some portion of keyspace, testing it, and then requesting another. 
The process would continue until someone found the key. Back posted 
his scripts to his Web page, and a group of conspirators from various 
corners of the world quickly gathered. Eventually, eighty-nine cypher- 
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punks participated in trying to find a 40-bit key in Microsoft’s data- 
base program Access. 

But the Microsoft Access crack was doomed. After the entire key- 
space was “swept,” none of the millions of potential keys unlocked the 
message. It turned out that the would-be crackers were stuck on 
a technical point that kept them from actually getting the plaintext. 
(“The problem was a lack of specifications,” says Back. “We didn’t 
know what format the file was in.”) 

Still, the cypherpunks emerged from the failed Microsoft attack 
with some group -cracking software, a loose yet dedicated organiza- 
tion, and a continuing desire to expose what they believed was the piti- 
ful sham of export-level crypto. And then the cypherpunks hit upon an 
even better target for a brute-force attack: Netscape. 


In 1993, two students at the University of Illinois had engaged in a 
coffeehouse conversation that would not only change the course of the 
twenty-two-year-old international network called the Internet but 
would profoundly affect the adoption of crypto. One of them, a 
chunky undergrad named Marc Andreessen, had recently been learn- 
ing about a new system on the Internet brashly named the World Wide 
Web by its inventor, Tim Berners-Lee, a British computer scientist 
working in Switzerland. The Web was an ingenious way to publish 
and get access to information on the Net, but only a few in the tech- 
nical community had adopted the system. Andreessen saw a wider 
potential. If someone created a slick “browser” to surf through the 
information space created by a multitude of people who shared text, 
pictures, and sounds on the Web, he said to his colleague Eric Bina, the 
Internet itself would be easier to use and a better way to get informa- 
tion. The pair, both of whom worked at the Supercomputing Center at 
the university, created Mosaic, the first great Web browser. Instead of 
being forced to use arcane commands and tackle a baffling alphabet 
soup of acronyms, people could now get all sorts of wonderful stuff 
from handmade Web “pages” — at the click of a mouse! It was an 
instant phenomenon; to use Mosaic was to swoon with the excitement 
of participating in a vast experiment with the future of informa- 
tion sharing. Soon a team at Illinois had churned out versions of the 
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program for virtually every computing platform. Millions of people 
downloaded them, and thousands of Web sites sprang up to take 
advantage of the audience. 

In 1994, Andreessen had another famous cup of coffee, this time 
with Silicon Valley entrepreneur Jim Clark. The just-departed CEO of 
Silicon Graphics was casting about for a big new idea for a start-up 
company, and with this college kid he hit one of the richest pay dirts in 
history. Clark, who’d been unaware of the Web boom up till then, 
quickly realized that there were untapped commercial possibilities for 
the Web, and grabbed not only Andreessen but most of the Illinois 
team to start Mosaic Communications. (When the university objected 
to the name, Clark changed it to Netscape.) The idea was to develop 
an improved browser called the Navigator, along with software for 
"servers” that would allow businesses to go on-line. The one missing 
component was security. If companies were going to sell products and 
make transactions over the Internet, surely customers would demand 
protection. It was the perfect job for encryption technology. 

Fortunately Clark knew someone in the field — Jim Bidzos. By the 
time negotiations were completed, Netscape had a license for RSA and 
the company’s help in developing a security standard for the Web: a 
public key-based protocol known as Secure Sockets Layer. Netscape 
would build this into its software, ensuring that its estimated millions 
of users would automatically get the benefits of crypto as envisioned 
by Merkle, Diffie, and Heilman, and implemented by Rivest, Shamir, 
and Adleman. A click of a mouse would send Netscape users into 
crypto mode: a message would appear informing them that all infor- 
mation entered from that point was secure. Meanwhile, RSA’s encryp- 
tion and authentication would be running behind the scenes. 

Jim Bidzos drove his usual hard bargain with Netscape: in exchange 
for its algorithms, RSA was given 1 percent of the new company. In 
mid- 1995, Netscape ran the most successful public offering in Wall 
Street’s history to date, making RSA’s share of the company worth over 
$20 million. (Not bad, Bidzos realized, for a company that was just 
about flatlining until Lotus’s $100,000 advance for the Notes license.) 

It was just after that eye-opening IPO that a cypherpunk named 
Hal Finney began looking at Netscape’s security. Finney, a Santa 
Barbara-based programmer who had participated in PGP develop- 
ment, was particularly interested in how cryptography would be used 
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with electronic commerce, and had become familiar with Netscape’s 
Secure Sockets Layer. In adhering to the export regulations, Netscape 
had released two versions of the browser: a domestic version with a 
128-bit key for its RC-4 encryption function, and a 40-bit version for 
export. 

Finney set up a challenge to break a message encrypted with that 
weaker key. He would make a dummy Netscape transaction — just as 
if he were a customer — then use the encryption in the export version. 
“I basically connected to Netscape in one of their secure pages and 
typed in some random data where I was supposed to be ordering a 
T-shirt or something,” he says. Then he captured the encrypted data 
and included it in his challenge: 

Date: Mon, 10 Jul 1995 16:13:52-0700 
From: Hal <hfinney@shell.portal.com> 

To: cypherpunks@toad.com 

Subject: Let’s try breaking an SSL RC4 key 

Since this whole Microsoft Access thing turned out to be 
a dud, maybe an alternative would be to try breaking the 
40-bit RC4 used in Netscape’s SSL (Secure Sockets Layer) 
exportable encryption . . . 

From England, Adam Back’s group accepted the challenge. Though 
Back’s original intent seems to have been to apportion the keyspace 
among many people, he wound up accepting the offer of an Australian 
programmer to organize half the search. The rest of the keyspace was 
to be swept by volunteers who were assigned slices. But there was 
some confusion between the two groups that slowed down the effort 
for some days. 

It was during this lull in the action that Damien Doligez began to 
wonder what was taking so long. Doligez was a twenty-seven-year-old 
computer scientist who had just gotten his Ph.D. a few months before 
and was working as a researcher at INRIA, the French government 
computer lab. His office was in one of a cluster of shacks in what was 
once a NATO base a few miles outside of Versailles. Doligez had a per- 
sonal interest in crypto. He shared the sense of disgust at the way gov- 
ernments attempt to suppress their citizens’ ability to communicate 
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privately with each other, and he believed that if someone cracked one 
of those artificially lame 40-bit cryptosystems, it would be a blow 
against the powers that be. He also guessed that after the successful 
RSA 129 crack, a two- or three-week effort should do the job. So as 
time passed between Finney’s challenge and its solution, he wondered 
what the hell had happened. 

As a researcher at INRIA Doligez had access not only to the work- 
station in his small office, but also to an entire network of computers, 
including a Maspar supercomputer. Doligez studied the SSL specifica- 
tions and concocted a small program to allow a computer quickly to 
test out a potential key, then adapted the program so it would work on 
the various machines on the INRIA network, as well as on some 
machines at the nearby universities, L’Ecole Polytechnique and L’Ecole 
Normale Superieure. 

Then he began his own multiple -computer attack. Whenever an 
INRIA worker would stray from his or her computer, within five min- 
utes, Doligez’s program would take over the machine, crunching per- 
haps 10,000 keys a second. Simply by touching the keyboard, a user 
could regain control over the machine. No one complained. 

Doligez figured that his odds of finding the key would be better if 
he started from the end of the keyspace and worked backward. “I fig- 
ured the cypherpunks would start from the start, so I started from the 
end.” He set his network into action on Friday, August 4, and left for 
the weekend. On Monday, he returned and discovered a bug in his 
program. He restarted the process. From that point, the number 
crunching ran perfectly, but he wound up writing ten new versions of 
the software over the next few days to address glitches in the commu- 
nications between machines. The program was working fine when 
Doligez left work on Friday, August 1 1 . Due to a national midsummer 
holiday that next Tuesday, on August 1 5, it would be a four-day week- 
end, but checking on his home computer before the holiday ended, his 
software gave him the message he was waiting for. 

“I saw it found the key,” he says. SSL had been cracked! 

The following day, Damien Doligez drove to work from his home 
outside Paris and recovered the key from his workstation, then suc- 
cessfully decrypted the message. He posted a message to cypherpunks 
with the heading “SSL challenge — broken!” As proof, he displayed the 
plaintext. Those familiar with the RSA 129 crack appreciated the sig- 
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nificance of the address of the fictional character that Hal Finney had 
created in his coded message. Mr. Cosmic Kumquat, of SSL Trusters, 
Inc., lived at 1234 Squeamish Ossifrage Road. 

Though technically it was anything but shocking — the mathematics 
of cryptography dictated that a weak key should fall to a concentrated 
effort — the very idea of cracking Netscape’s crypto captured the 
imagination of the popular press. The media descended on Damien 
Doligez. Because the break occurred only a week after Netscape 
enjoyed perhaps the most successful IPO in history, some journalists 
played the crack as if it spoke to the nature of the browser’s overall 
security, and not as an example of the way the government export 
rules weaken software in general. In a message that Netscape posted 
on its site later that week, the company noted that Doligez had simply 
broken one message — and that it took about 64 MIPS years to do so. 
Netscape also estimated that the cost of breaking the message had 
been $10,000. But as Doligez pointed out in his own response, he had 
used idle computer time, and paid nothing to do so. Netscape was 
on firmer ground when it noted that the domestic version of Naviga- 
tor used a much sounder 128-bit key. “The computer power required 
to decrypt such a message would be more than a thousand trillion tril- 
lion times greater than that which was used to decrypt the RC-4-40 
message,” wrote Netscape. 

Which as far as the cypherpunks were concerned was exactly the 
point: export-level crypto was needlessly weak. 

But the cypherpunks were not through with Netscape. At Berkeley, 
two first-year graduate students were inspired by group cryptanalysis. 
They were twenty-two-year-old Ian Goldberg and twenty-two-year- 
old Dave Wagner. They, too, thought it would be a good idea to hack 
Netscape, the new flagship for Internet security. But they had missed 
out on the obvious brute-force attacks — Goldberg had been moving 
to California from his native Canada and Wagner had just arrived after 
getting his undergraduate degree at Princeton. So they began to 
explore a different mode of attack, more akin to the second of Robert 
Morris’s recommendations: look for plaintext. Could it be possible that 
the Netscape security team made some simple yet egregious error in 
implementing their software, thus exposing what might be millions of 
electronic commerce transactions to eavesdroppers? Not likely. But, 
as Morris had suggested, you never know unless you look. 
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And that’s when Wagner saw it. Buried in the code were the 
instructions for Netscape’s Random Number Generator (RNG). This 
is an important part of any sophisticated cryptosystem — the piece of 
code crucial to scrambling the letters so that the encoded text offers 
no tell-tale patterns that would help a cryptanalyst. It is well known 
that a lack of true randomness is a weakness smart codebreakers can 
eventually exploit. So it is important to have a solid RNG — something 
that spins the alphabetic roulette wheel thoroughly. 

An important part of a good RNG is the use of an unpredictable 
“seed” — a number that begins the randomization process. Since, 
unlike dice, computers do the same thing each time they run, it is 
essential to begin the process with a seed that a potential opponent 
cannot possibly guess. Methods of doing this often include using some 
off-the-wall statistics from the real world — the position of the mouse, 
for instance. Anything that an enemy could not possibly know. 

Netscape, as it turns out, had ignored this wisdom. When Dave 
Wagner looked closely at the code, the error jumped out at him. 
Netscape derived the seed of its RNG from three elements: the time of 
day and two forms of user identification called the Process ID and the 
Parent ID. A disaster. A foe would burn few computer cycles and even 
fewer brain cells finding the first part of the seed: it is easy to run 
through the limited number of times of day. And in many cases, both 
kinds of identification numbers were also easy to find, particularly if 
someone is sharing a server with a number of people — as often hap- 
pens in an Internet environment. “If an attacker has an account on 
your machine, it’s trivial,” says Goldberg. “Here at Berkeley, there are 
thousands of users. If anyone uses Netscape, you can discover the 
IDs.” But even without that advantage, it would be fairly trivial for 
attackers to calculate out those IDs. The identification numbers in 
question were only fifteen bits long, easily susceptible to brute-force 
attacks. 

Over the course of a weekend, Wagner and Goldberg wrote a pro- 
gram to exploit the weakness. On Sunday night, they tested it. By 
zeroing in on the huge flaw in Netscape’s implementation, they were 
able to find a secret key in less than a minute. Hasta la vista, Netscape 
security. Goldberg posted the result on the cypherpunks’ mailing list 
that night. “We didn’t expect lots of press,” he said. Silly boy. Among 
the readers was a New York Times reporter. When the story ran in the 
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Paper of Record, the two grad students were deluged with curiosity 
seekers and journalists. Of the things that the two grad students had 
to say, perhaps the most sobering was Goldberg’s observation, “We’re 
good guys — but we don’t know if this flaw has been discovered by bad 
guys.” 

Unlike the first Netscape crack, where the company could quite 
rightfully claim that their otherwise strong crypto was crippled by gov- 
ernment restrictions, this was a total flub. You didn’t need to tap a 
multi-workstation network, or get access to a supercomputer. In cer- 
tain circumstances all you needed was a minute’s worth of crunching 
on a vanilla Pentium machine. “Our engineers made an implementa- 
tion mistake,” admitted Mike Homer, Netscape’s vice president of 
marketing. 

The error cast a shadow on the security of the leading Internet soft- 
ware company. “If Netscape did this wrong, what else did they do 
wrong?” asked cryptographer Bruce Schneier. But the more pressing 
question was, if Netscape was unsafe, what was safe? Netscape, after 
all, was making a concerted effort to protect its users. If the Naviga- 
tor could be cracked so easily, what hope was there for the others? 

There was a bright side to the event: you could argue that things 
worked properly because the cypherpunks publicly exposed a weak- 
ness, which Netscape immediately moved to fix. But the lasting lesson 
was somewhat darker. As the Internet proliferated, the public was 
beginning to become truly dependent on networked computers for 
financial transactions and storing private information — everything 
from buying books to making stock trades to paying bills. New busi- 
nesses were planning to put medical records on-line. But security was 
still haphazard at best. And more and more, it was becoming clear that 
one big reason for this failing was the United States government’s 
long-term stalling action. While it tried to push Clipper and key 
escrow as its pet solution to the problem, the Internet kept going — 
without an organized effort to provide the protections it needed. 


During the mid-1990s, though, those trying hardest to bring to 
fruition a new era of cipher protection — one that would finally secure 
the Internet and other electronic means of communication — found 
themselves under increasing fire. It seemed that those in charge of the 
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laws and institutions of society, while not able to shut down mathe- 
matical and engineering progress, could do plenty to make crypto 
innovators know that their actions had consequences. The question 
became how far was the government willing to go to invoke those 
consequences. 

For Ray Ozzie of Lotus such a lesson in power would have seemed 
unnecessary: he was committed to working within the system. 
(Besides, in 1993, Lotus had officially joined the Establishment when 
it was bought by IBM for $3 billion.) In the years since his early adop- 
tion of RSA, Ozzie had become a vocal figure in the crypto battles, tes- 
tifying in Congress and visiting key administration figures. Though his 
procrypto bias was plain, Ozzie’s easy manner and willingness to con- 
sider the opposing view earned him the respect of even export hard- 
liners. He was a realist. Unable to wait for the government to liberalize 
its rules, he was constantly brainstorming for innovative ways around 
the export impasse. 

After the Netscape crack, overseas buyers of Lotus Notes became 
increasingly uneasy using the 40-bit encryption IBM was permitted to 
ship overseas. They wanted to know why it was that American cus- 
tomers were sold a version with 64-bit keys, millions of times more 
difficult to break — while their version could be cracked by some ran- 
dom postdoc outside Paris. (Meanwhile, companies like Microsoft, 
which didn’t want the hassles of making two flavors of the same prod- 
uct, gave all their customers weaker crypto. This made the whole 
product line less valuable to those who wanted encryption, and some 
of those customers began buying from foreign companies that could 
legally sell them strong crypto.) 

In 1995, Ozzie came up with what seemed a preferable compro- 
mise, at least in the short term: a mathematical fix devised to satisfy 
the NSA’s requirements. Though Ozzie hated Clipper, his scheme was 
sort of a less onerous version of it. Lotus would still sell two versions 
of Notes, but unlike prior versions, both would have 64-bit encryption. 
But the international version would have a little gift for the NSA: 
something called the National Security Access Field (NSAF). This 
consisted of 24 bits of the encrypted data that the NSA, and only the 
NSA, could decode. It was to be encrypted by the NSA’s public key, 
so only the folks at The Fort could exclusively decrypt that field. After 
the NSA used its private key to unscramble the 24-bit NSAF, the 
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Notes-encrypted messages would have shrunk from 64-bit cipher- 
text to 40-bit ciphertext. Cracking the remaining code would require 
precisely the same work factor as messages encrypted with 40-bit 
keys shipped under the old system. But since the overall encryption 
was stronger against all attackers other than the NSA — and it was 
those other attackers most users were worried about, like vandals or 
industrial spies — Ozzie figured that this solution might help in the 
short run. 

Lotus filed two patents for its innovation, called “Differential Work- 
factor Cryptography Method and System,” in December 1995, and 
included the innovation in the new version of its software, Notes 
Release 4. He first spoke about it publicly in January 1996, at the RSA 
Data Security Conference in San Francisco. The conference was 
another of Jim Bidzos’s marketing brainstorms. Since 1990, the RSA 
Data Security honcho had been gathering commercial crypto cus- 
tomers in the Bay Area, sponsoring a few days of seminars and a small 
trade show where vendors could show their wares. From a gathering 
of a few dozen geeks at the Sofitel Hotel near RSA’s Redwood City 
offices, the conclave had grown to thousands and was now held at a 
large hotel near Union Square. Ozzie’s speech drew a lot of attention, 
and not a little hand-wringing: some wondered whether the dynamic 
designer behind Notes had given up the fight. 

No, he hadn’t. Ozzie was just pursuing a more subtle agenda. “I 
wanted to stir things up,” he said. The idea was to knock a wedge 
between the administration and the NSA. Once A1 Gore had backed 
down from the idea of government-controlled escrow facilities, the 
NSA found little to like in those post -Clipper ideas. If people stored 
keys in private facilities, authorities would need a warrant to get hold 
of them. But the NSA operated in secret and was banned from domes- 
tic surveillance. So the agency might prefer Ozzie’s scheme— which 
gave it a head start in cryptanalysis. (It wouldn’t need a warrant to get 
those 24-bits’ worth of decryption.) Thus, Ozzie’s scheme was far 
from a sellout — it was a subversive strategy to get the NSA and the 
administration arguing for different approaches. In the confusion, he 
hoped that his industry could sneak through its own solution. 

Before Ozzie could congratulate himself on his cleverness, he dis- 
covered that the government was not without its own means for deal- 
ing with such strategies. On December 30, 1996, both Ozzie and his 
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coinventor Charles Kaufman received letters labeled in boldface: 
secrecy order. Their patent application, read the letters, “contains 
subject matter the unauthorized disclosure of which would, in the 
opinion of the sponsoring defense agency, be detrimental to the 
national security.” (In the space where the government patent officer 
could check off which agency that was, there was an X next to 
“ARMY.”) Disclosing the subject matter to anyone without authoriza- 
tion, they were warned, would subject the inventors and IBM to a 
penalty, including a jail term. Finally, they were instructed, any copies 
of the subject matter “should be destroyed by a method that will pre- 
vent disclosure of the contents or reconstruction of the document.” 

Ozzie, who received the order on January 7, 1996, immediately 
understood that complying with that order presented something of a 
problem. Not only had he spoken in detail about the scheme numer- 
ous times, but the “subject matter” had also already been distributed 
to almost six million Lotus Notes users, about half of whom were out- 
side the United States. He quickly informed his bosses at Lotus, who 
immediately began pondering the consequences of having one of the 
most popular software programs in the world deemed a government 
secret. 

Perhaps the best thing Ozzie did was to have a friend call the deputy 
director of the NSA, Bill Crowell, who reportedly laughed when he 
heard of the news, and told the friend he’d look into it. On January 9, 
Crowell called Ozzie. It was all a mistake, he said. Everything would 
be fixed. Indeed, the next day, when IBM attorneys got in touch with 
the Patent Office, they got a verbal confirmation that the order had 
been rescinded, and later got a fax to that effect. No longer were Ray 
Ozzie, his coinventor, and IBM liable for about six million violations 
of the patent secrecy act. But after everyone had some time to breathe, 
questions remained. If this was the fate that welcomed someone try- 
ing to serve his customers in the spirit of key escrow, what would hap- 
pen to those who outright challenged the government? 

Jim Bidzos could answer that question. As he took the most public 
stance possible in opposition to the government — he even distributed 
posters urging people to “Sink Clipper” — the relationship between his 
company and the NSA had gotten more contentious. Though Bidzos 
had no hard evidence of having been wiretapped, he assumed that he 
was under surveillance. Perhaps the most egregious confrontation 
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came in April 1 994, during a meeting with three N SA export officers, 
all of whom Bidzos had been grappling with for years. Two were 
women he’d come to trust to some degree, but the third was a man 
who clearly despised Bidzos and his company. 

Since the NSA reps didn’t open the meeting with any specific 
issues, Bidzos used the opportunity to lecture them about Clipper: no 
one would use it, it was a flawed system, yadda yadda. Bidzos noticed 
the man from the NSA getting more and more agitated. Finally the 
official spoke. If I see you in the parking lot, he said, I’ll run your ass 
over. 

Bidzos recalls being stunned but finally he replied. “I’ll give you an 
opportunity to retract that or apologize,” he said. But the man kept 
pressing. I’m serious, he raged. You don’t understand me, do you? 

Was Bidzos getting an official warning, sort of a Triple Fence 
equivalent of a Mafia kiss on the lips? Should he avoid parking lots? 
Bidzos felt that most likely the guy was probably just venting, but he 
didn’t want to let the threat go unchallenged. He told a newspaper 
reporter, and the story found its way into the local paper. Not long 
afterward Bidzos received a phone call from the NSA guy’s boss. Bid- 
zos got an apology. Even if his life wasn’t at risk, though, Bidzos felt 
that the agency wanted him out of business. 

But at least Bidzos wasn’t under the threat of indictment. That fate 
was reserved for his sometime nemesis Phil Zimmermann. 

Ever since the release of Pretty Good Privacy, Zimmermann had 
assumed that his biggest problem was the intellectual property dispute 
with RSA. Jim Bidzos thought nothing of publicly attacking Zimmer- 
mann, and at the drop of a fax button, he would zip journalists a copy 
of Zimmermann’s (ambiguously) written promise to stop distributing 
PGP, a vow apparently not kept in spirit. But Zimmermann never 
thought that he would find himself under criminal investigation. So 
when two women from the U.S. Customs Service in northern Califor- 
nia came to visit him in 1993, he assumed that they were there at Jim 
Bidzos’s bidding. Indeed, though the investigators wanted to know 
how PGP was distributed, many of the questions dealt with PGP’s 
similarity to RSA’s products. As far as technological expertise, the 
investigators seemed clueless. Zimmermann had to explain to them 
the very basic ideas of crypto and software distribution. When they left 
he felt that he had little to worry about. The whole thing was some 
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Bidzos harassment, he figured. “I don’t think that there will be action 
against me,” he said at the time. “They raised questions about the 
[export regulations], but I diffused that.” 

Not quite. United States Attorney William Keane was indeed con- 
cerned about a possible export violation. After all, within hours of 
PGP’s release on the Internet, the strong crypto program had found 
its way overseas. It’s unclear whether pressure from Washington 
had anything to do with it, but some weeks later, Keane informed 
Zimmermann that he was under investigation for illegally exporting 
munitions. (Kelly Goen, who had identified himself to MicroTimes 
columnist Jim Warren as a Johnny Appleseed of PGP, was also a 
potential target.) 

For the next three years, Zimmermann was in legal purgatory, 
investigated by a grand jury but unindicted. His lawyers advised him 
to lie low. But PGP’s fame had given Phil Zimmermann a taste for 
speaking out loud. Besides, he felt that his best chance lay in taking 
the case to the public. Whenever he had talked to just plain folks about 
PGP and crypto issues, they had become outraged at the prospect of 
the government’s limiting the ability of people to communicate pri- 
vately. He suspected, with good reason, that even techno virgins 
would be equally indignant at this new atrocity: here was Big Brother 
himself, contemplating a prison cell for someone who freely distributed 
privacy software to freedom fighters, lovers, and those who simply felt 
that their secrets were nobody’s business. What’s more, the case 
against Zimmermann himself was weak; he wasn’t even the one who’d 
posted his program to the Net. The guy who had had told Jim Warren 
that he scrupulously limited the uploads to American sites. Was the 
Justice Department actually asserting that export restrictions pro- 
hibited U.S. citizens from distributing legal materials to other U.S. 
citizens? 

Oh, the export regulations. The more you looked at them, the 
weirder they appeared. One recent controversy involved Bruce 
Schneier’s 1994 book, Applied Cryptography. It was a technical cor- 
nucopia of cryptological mathematical theory, explanations of popular 
cryptosystems, and all the algorithms that a security specialist or 
cypherpunk would ever need. The Millennium Whole Earth Catalog 
called it “the Bible of code hackers.” But while anyone could ship the 
physical book overseas, the crypto restrictions seemed to ban the 
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export of those same contents in digital form. At least that’s what 
cypherpunk Phil Karn found out when he applied for a “commodities 
jurisdiction” (or CJ) to export the book, along with an accompanying 
floppy disk with the same contents on it. Officials confirmed that the 
book could be exported, but not the floppy. It seemed absurd. 

So Zimmermann talked, and generated publicity. He seldom failed 
to note that Burmese rebels reportedly used PGP to avoid the deadly 
consequences of being discovered in antigovernment activities; in tes- 
timony to a congressional hearing in 1993 he also noted that he’d 
received an effusive thank-you from a Latvian patriot who claimed, 
“your PGP is widespread from Baltic to Far East and will help demo- 
cratic people if necessary.” When confronted with the charges from law 
enforcement agencies that PGP was particularly useful to criminals — 
in one Sacramento case, the cops couldn’t read a pedophile’s diary 
encrypted with Zimmermann’s software — he argued that all tech- 
nology has trade-offs. 

Perhaps the highlight of Zimmermann’s odd celebrity came one day 
in San Francisco when some businesspeople decided to take him for 
an evening on the town that wound up at a North Beach strip club. 
The young lady lap dancing in proximity to Zimmermann asked casu- 
ally what he did. “I’m a cryptographer,” he said. “I wrote a program 
called PGP.” 

The lap dance stopped in midgyration. “You’re Phil Zimmer- 
mann ?” she asked in awe. “I know all about PGP!” 

True, cypherpunk sex workers were not everyday occurrences. But 
PGP’s audience was beginning to extend beyond techies and privacy 
nuts. The Wall Street Journal described how PGP was used by lawyers 
maintaining electronic confidentiality with clients, authors protecting 
their works in progress from copyright infringers, and an astronomer 
staking his claims to his celestial discoveries. 

In order to entice commercial audiences, Zimmermann had licensed 
the code to a company called ViaCrypt. Since ViaCrypt already had 
paid a licensing fee to RSA, it could sell PGP to business customers 
without fear of a lawsuit. (Supposedly paying two license fees was 
worth it, since PGP had become, by virtue of its underground follow- 
ing, a wonderful brand.) Beginning in 1994, the main distribution 
point for the much more popular freeware version was an unexpect- 
edly mainstream ally, the Massachusetts Institute of Technology. Some 
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there, notably professor Hal Abelson and network manager Jeff 
Schiller, believed that the Institute should be allowed to provide 
Americans with programs that they were legally permitted to use — 
and do it on the Internet, which was by far the most expedient method 
of software distribution. So MIT stored the latest versions of PGP on 
its Internet server and allowed anyone to download it — after asserting 
that they were, indeed, Americans. 

The honor system obviously wasn’t what the government had in 
mind when establishing the export laws. So flimsy was the MIT pro- 
tection against export that copies of PGP downloaded from its site 
were spotted outside the country two days after the program was made 
available. Still, the citizenship restriction apparently was sufficient for 
MIT to avoid official complaints, let alone a criminal investigation. Not 
that the government officially approved of the arrangement. In one 
memorable session at a 1995 conference, MIT’s Jeff Schiller and NSA 
counsel Ronald Lee (who replaced Stewart Baker in 1994) faced off. 
Despite repeated pleas to make some sort of statement about whether 
MIT’s restrictions were sufficient, Lee refused to draw even the 
vaguest guidelines for what was permissible and what could land you 
in jail. Meanwhile, the MIT Press published a book (those analog 
dead-tree artifacts were still around) that contained nothing but hun- 
dreds of pages of C source code — the entire PGP program, formatted 
so that computer scanners and character recognition software could 
easily transform the printed hard copy into a real-life industrial- 
strength crypto product. It seemed almost surreal that such a scheme 
could be legal while a grand jury still contemplated indicting Phil Zim- 
mermann, but that was the shaky state of crypto export policy in 1995. 

Another crypto rebel faced with intrusions from the nasty real world 
was Julf Helsingius, the Finnish programmer who ran one of the first, 
and certainly the most popular, remailers in the world. By 1995, his 
operation called Penet was a shining example of crypto anarchy, strip- 
ping identification from thousands of messages each week, and send- 
ing them off on their merry anonymous way. Its operator was himself 
becoming well known in certain circles — and reviled by government 
doomsayers who warned that such services would prove the end of 
civilized society itself. But when the real trouble came it was not insti- 
gated by a government, but a private group: the Church of Scientology. 
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Scientologists had been routinely incensed by the criticisms of 
unhappy former members on Internet discussion groups. In some 
cases, these apostates had obtained church documents and were post- 
ing them on the Net. Scientology officials wanted to charge these peo- 
ple with violating the church’s copyright and trade secrets. But since 
the addresses of the critics were laundered through the cypherpunk 
remailer system — very often on Penet, as it turned out — there was no 
easy way to find who was responsible for the messages. 

Then it turned out there was a way. Penet — unlike many of the 
cypherpunk remailers — was “two way,” enabling people to respond 
directly to anonymous postings. This required a means for Julf’s sys- 
tem to keep track of who was sending messages. First, church lawyers 
wrote a letter to Helsingius, formally notifying him that his service was 
forwarding mail that violated their copyright. Julf politely replied that 
his policy was to keep hands off the traffic going through his com- 
puters. Didn’t they “get” remailers? The lawyers wrote back, threaten- 
ing legal action. Helsingius, in Finland, figured that the chances were 
slight that these faceless attorneys in California could do any such 
thing. Then Julf Helsingius’s phone rang. It was a representative of the 
Church of Scientology, in person. In Finland. 

Would Julf like to be taken out for dinner? 

No sense in turning down a meal, Julf figured. He suggested a Thai 
joint. The man was friendly, saying that he was a retired policeman, 
and that all he wanted was two things: for the messages to stop, and 
for Helsingius to let him know who was sending them. 

“I’m sorry,” said Helsingius, “I can’t do that.” 

But the Scientologists were not relying on Julf Helsingius’s good 
will to cough up a name. They filed a complaint with the Los Angeles 
police, charging that their stolen property was being shipped over the 
Internet, and fingered Julf as someone willfully withholding the iden- 
tity of the thieves. In Finland, that’s a grave crime, sufficient to get a 
search and seizure warrant. 

About a week after apologetically turning down the retired cop, Julf 
Helsingius got another call — from the Helsinki police. We have a 
court order, they told him, and must take your computer away so it can 
be searched. Helsingius’s heart sank — he knew that he had to comply. 
(Ironically, if Helsingius had used readily available crypto software to 
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encrypt his data and protect his customers, such a search would have 
proven useless. But because of “performance reasons” — “the database 
is huge,” he explains — he did not encrypt the contents of his disk.) 

But while Helsingius knew that he had to give up the single cus- 
tomer whom the Scientologists wanted, he didn’t want to put thou- 
sands of others at risk. Fortunately, in keeping with the cordial 
relations Finns have with their police, he was able to negotiate a trans- 
fer that would not require him to turn over the contents of his entire 
database. Helsingius simply copied the e-mail address of the offend- 
ing party onto a floppy disk, and set it on the table, allowing the police 
to take possession of that disk. “I was not too happy, but it was a com- 
promise,” he says. 

Helsingius’s troubles were not over, however, because another 
institution of the real world was about to rain on his crypto anarchy 
parade: the media. The same day he handed over the disk to the 
police, a story ran in a Swedish newspaper claiming that the majority 
of all child pornography on the Internet was routed through a server 
in Finland. Obviously it was referring to Penet. But Julf knew that his 
service did not distribute such materials, since he blocked “binaries” 
(digital photographs). Not that people cared to check. When he 
tracked down the source of the information, it turned out that some 
child pornography ring had forged the headers on porno binaries, 
making it look as if the stuff came from his site when it actually was 
posted from a location in the United Kingdom. Still, the publicity was 
damaging, and became worse when a British newspaper repeated the 
charge, this time citing Helsingius personally as the evil middleman of 
Internet kiddie porn. 

Meanwhile, the Scientology civil case wasn’t going away; Helsingius 
was called to a Finnish court to explain why he shouldn’t turn his 
names over. By then he had taken measures to protect the security of 
the 700,000 e-mail addresses on his server. The names still weren’t 
encrypted, but hidden: he’d moved the computer out of his home to a 
storage room at a secret location. And he’d hired lawyers, though God 
knows he didn’t have the money for that sort of thing. He claimed to 
the Finnish court that those who used his services were entitled to pri- 
vacy. But to his dismay, the judge ruled that e-mail shouldn’t have the 
same protections as physical mail. The whole thing had taken cyber- 
space a step backward, at least in Finland. 
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That was it for Julf Helsingius. “The decision was quite clear,” he 
said. “There’s no way you can run a server like mine in Finland.” So 
on August 30, 1996, he shut down Penet. The ineluctable lesson was 
that while technology can provide crypto freedom, the real people who 
use it must live in the real world — where governments and regulators 
have the means to track them down. The real world can make things 
very, very complicated. 

But David Chaum could have told you that, too. 

The maverick inventor of anonymous digital cash — and the holder 
of important patents on electronic money — was having a difficult time 
keeping his company Digicash afloat. Though he had assembled a ter- 
rific staff of enthusiastic programmers and cryptographers at his 
Amsterdam headquarters, there was increasing unrest within the team. 
Chaum wasn’t completing the important alliances he needed to get his 
ideas into the mainstream. The intrigue in his little group intensified 
when one of his former students, Stefan Brands, claimed to have 
devised an alternative means to produce anonymous cash, and began 
exploring ways to license these ideas. Chaum insisted that Brands’s 
work was dependent on his. (Brands obtained valid patents.) Mean- 
while, Digicash was still looking for the big deal. 

Digicash had begun an experimental pilot program on the Internet 
called E-Cash. It used a form of scrip, digital Monopoly money. But it 
really was a test run for the prospect of true digital cash on the Net, a 
form of currency that would one day usurp folding bills and metal 
coins. For now, though, a user could get 100 “cyberbucks” simply by 
asking. The digital tokens could be e-mailed to friends or used to 
“buy” things from any merchants who decided, in the spirit of experi- 
mentation, to accept cyberbucks. All of this was done anonymously. 
Though one participating merchant was the Encyclopedia Britannica, 
which took Chaum’s pretend money in exchange for its articles, most 
of the extremely limited universe of E-Cash merchants was ad hoc 
operations like “Big Mac’s Monty Python Archive Shop,” which 
offered unauthorized transcriptions of that comedy group’s routines 
for various increments of cyberbucks. 

When Chaum finally did break some news, it was with a Midwest- 
ern institution with a name more familiar to literature students than 
international financiers: the Mark Twain Bank. The idea was to deliver 
a version of E-Cash where the units finally could be exchanged for real 
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money, backed by Mark Twain. Then, perhaps, larger institutions 
would jump in. At that point Chaum’s critics — one of whom dis- 
missed his ideas as Walden Pond meets the Internet — might shut up. 
But the Mark Twain scheme never took off. 

It wasn’t just Chaum who was having difficulties establishing crypto 
cash as an Internet standard. Electronic commerce hadn’t taken off 
quickly enough, and the still-evolving standards of the Net made any 
sort of crypto-cash scheme relatively hard to use. Chaum’s competitors 
were unfettered by the moral obligation to provide anonymity to their 
digital money — they generally felt that people really didn’t demand it. 
But those companies were falling short of expectations as well, among 
them the well-funded start-up Cybercash and Mondex, which allowed 
consumers to download money on credit-card-sized smart cards 
(think of a bank cash machine on your personal computer) . But those 
disappointments paled beside Chaum’s. It was Chaum who had the 
patents for anonymous digital cash. And when Digicash finally filed 
for bankruptcy in 1998, it was Chaum who lost the patents. 


Yet despite the problems and harassments suffered by the crypto revo- 
lutionaries in the mid-1990s, their larger cause kept advancing. Skir- 
mishes and setbacks to the contrary, it was the government that was 
on the run. After A1 Gore first retreated by promising to amend the 
Clipper scheme in the letter to Representative Cantwell, the adminis- 
tration offered to negotiate a compromise with industry, and several 
meetings were held at NIST’s Maryland headquarters to try and reach 
a consensus. Hopes were high that some scheme would be reached 
whereby export standards were liberalized and any key escrow would 
be truly optional. Some of the things that the government was say- 
ing seemed quite reasonable. But when the administration’s officials 
unveiled the final rules, there were devils in the details. Bottom line: 
the export restrictions would continue as they always had and Clip- 
per’s rules were only partially relaxed (for instance, users would be 
offered a choice of escrow agencies) . The plan earned its sobriquet of 
Clipper II. 

Inevitably, it was followed by Clipper III, in 1996. That plan had a 
new angle. The idea was to give cooperating companies a carrot — if 
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companies promised to build escrow into their future products, they’d 
be allowed to export unescrowed DES -strength crypto now. But in 
practice, this proved no more attractive than the earlier versions. The 
obvious relief would have been a blanket export exemption of reason- 
ably strong crypto. Instead the government tinkered with variations of 
its same old policy. 

One continuing problem for the administration was that foreign 
countries regarded any American escrow scheme with suspicion. At 
one point, a “crypto ambassador” was sent off to try to convince the 
world community that such a global solution could work for all. But 
since he could offer no implementation where all countries had equal 
access to keys, his failure was a foregone conclusion. Some members 
of the administration considered this shortcoming the death blow to 
the entire policy. 

Meanwhile, spurred by complaints that American industry was los- 
ing business to foreign firms selling crypto software, Congress was 
reconsidering a legislative solution. In 1996, Senator Conrad Burns 
of Montana introduced the Security and Freedom through Encryption 
(SAFE) bill, designed to lift export restrictions on programs 
that offered a “generally available” level of crypto. (Presumably, this 
included DES and domestic-strength RSA.) The bill also addressed 
fears that the government might one day declare that Clipper tech- 
nology would be the only permissible crypto: SAFE would specifically 
forbid mandatory key escrow. Burns, a crusty Westerner who felt 
more comfortable seated on a saddle than in front of a computer 
screen, was tickled at his new reputation as a high-tech privacy cru- 
sader. But the bill itself sat bottled in committee, as legislators still 
swayed by NSA’s well -orchestrated briefing stifled what the spooks 
continued to warn them was a threat to national security. “Some peo- 
ple here fully understand the issue,” complained Senator Patrick 
Leahy, an early SAFE supporter. “But with others, they’re talking like 
it was ten years ago, about an industry where ten days is an eternity.” 

If the government’s goal was simply to stall — each day the dike 
doesn’t crack, we win — then its approach could be considered a suc- 
cess. But as the cypherpunk attacks against export-strength crypto 
demonstrated — and the interception of unencrypted cell phone con- 
versations, including the House Republican leadership, dramatized — 


296 | crypto 

such a policy had its perils. The country lacked a strong electronic 
security system, a vulnerability that became more serious as the Inter- 
net wound itself more deeply into the fabric of American life. 

That, at least, was a key conclusion of a major study by the 
National Research Council (NRC). That organization, the research 
arm of Congress, undertook a comprehensive examination of the 
national crypto policy, and recruited a panel of experts from all sides 
of the issue, including former cabinet members, officials from the NSA, 
and critics from business and academia like Ray Ozzie and Marty 
Heilman. Their report, “Cryptography’s Role in Securing the Infor- 
mation Society,” was a surprisingly strong criticism of government 
policy, and recommended continued freedom for domestic encryp- 
tion, relaxed export controls, and, above all, “a mechanism to promote 
information security in the private sector.” In other words, more 
crypto. 

Perhaps the most interesting observation of the study came as a 
result of the classified briefings its members had received. (Three 
of the sixteen members declined clearances and did not attend.) 
Though they could not of course reveal what they had heard in the 
briefings, they could — and did — evaluate the importance of that secret 
knowledge in determining national policy. Answer: not much. “Those 
[classified] details . . . the report stated, “are not particularly relevant 
to the larger issues of why policy has the shape and texture that it does 
today nor to the general outline of how technology will and policy 
should evolve in the future.” So much for the “If you only knew what 
we know” argument. 

Some people in the administration chafed at that conclusion. (In 
the NSA, there was even some unhappiness that the title of the report 
could be read as an acronym, CRISIS.) They conceded that the clas- 
sified briefings given the NRC participants were thorough, but con- 
tended that to really understand the issue, you have to live and breathe 
intelligence. Sure, Marty Heilman or Ray Ozzie understood in theory 
that it was important to wiretap a crook or intercept a terrorist’s call 
on a cell phone. But every morning the president and the vice presi- 
dent got nice thick books that zeroed in on the world’s pressure 
points — everything from cracked diplomatic dispatches to the ear- 
phone conversations of Russian mafiosi. The Clinton people knew 
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damn well that if crypto was universal, significant hunks of those 
books would disappear. 

But that fine point was lost on the general public — and indeed on 
much of Congress, which commissioned the study. Instead, the NRC 
report stood as a call to arms to drop the silly restrictions against 
crypto and start using it to strengthen our own systems. After all, it 
argued, the genie’s out of the bottle. And quietly, some of the 
staunchest defenders of government’s control of crypto were them- 
selves admitting it, too. 


Then another front opened in the crypto wars. For the first time, 
export regulations were facing a serious challenge in the courts. A 
decade earlier, the NSA’s Bobby Ray Inman felt that he had success- 
fully fended off the 1978 opinion of a Justice Department lawyer that 
the export regulations violated the First Amendment. But no judge had 
ever addressed the issue. Many legal experts thought that if a ruling 
did come on the question, it might not be to the liking of the crypto 
community. Indeed, a recent decision involving cypherpunk Phil Karn’s 
legal challenge to export the floppy disk version of Applied Cryptog- 
raphy ended in flames. Rejecting the idea that the same information 
permitted for export in hard copy should be provided the same privi- 
lege in digital form, a federal judge had not only denied the request but 
also delivered a withering opinion on Phil Karn’s request, virtually 
accusing him of an immoral attack on national security. But that was 
a sideshow to a more important suit: that of Daniel Bernstein. 

Bernstein was a graduate student at Berkeley. He’d become inter- 
ested in crypto and security after someone hacked his own computer 
account in 1987, and thereafter wanted to include crypto algorithms 
in his course work. As a reflection of how times had changed, courses 
focusing on cryptography were now almost mainstream. Technically, 
though, regulations seemed to forbid anyone from placing a crypto 
concoction somewhere a foreigner might see it. Which was exactly 
what Bernstein wanted to do. 

Bernstein’s project was inspired, coincidentally, by something 
Ralph Merkle had produced at Xerox PARC in 1989: a hash function 
called Snefru. Written in 1990 when he was an undergraduate at 
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NYU, Bernstein’s addition to Snefru playfully tweaked the illogic of 
the export codes. He knew that while encryption programs were sub- 
ject to restrictions, hash functions like Merkle’s (which don’t scram- 
ble information per se) were not. So Bernstein wrote a program that 
transformed the hash function Snefru into something that could per- 
form encryption and decryption. (Think of Snefru as a banned auto- 
matic weapon shipped through customs without a trigger, and the new 
program as a kit that installs the missing part.) “It takes any good hash 
function and turns it into a good encryption function,” he later 
explained of his creation. He called his crypto package Snuffle and 
wrote a paper to describe what he’d done. But he was worried about 
publishing it, figuring, he later said, that “the government might not 
be too happy about me pointing this out.” So he put Snuffle on the 
shelf. 

But at Berkeley in 1992, he reconsidered. Why not publish Snuffle? 
After all, it was not a commercial product but an academic exercise. 
Since the actual encryption relied on an already-published hash 
algorithm — he introduced no original encryption algorithms of his 
own — it presented no threat to the republic, so why would publishing 
it be a problem? The obvious place to release it was the sci.crypt 
discussion group on the Internet. But before uploading Snuffle to 
sci.crypt, he decided to take one final precaution to make sure he 
wasn’t violating any laws. He would ask someone in the government 
if such a step was permissible. 

That little step kept Snuffle off the Internet for the rest of the twen- 
tieth century. 

Bernstein’s first problem was identifying the proper government 
office to handle his request. After a series of queries he finally wound 
up at something called the Office of Defense Trade Controls. He 
sent his letter off in June 1992. To his dismay, the reply, signed by 
William B. Robinson, the director of that mysterious office, asserted 
that distributing Snuffle without a license would indeed put Bernstein 
in legal jeopardy. 

Okay, Bernstein figured, I’ll go through the formality of getting the 
commodities jurisdiction — the “CJ.” First, though, he hoped that the 
Office of Defense Trade Controls would clarify what his rights were, 
and what appeals he might have if he disagreed with a government 
decision. It took him until March 1 993 to get someone to talk to him. 
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Finally he got Charles Ray, the special assistant to William B. Robin- 
son, on the horn. (Bernstein taped his conversations, with permis- 
sion.) Basically, Ray told him that his rights were, well, nonexistent. 
If he posted Snuffle on the Net without clearance, and some foe of 
the United States downloaded his program from a terrorist base in 
Afghanistan or an apartment in Paris, Bernstein might have to scope 
out a jail cell for his next home. “There are no exempt groups,” Ray 
told him. “If you’ve got something considered technical information 
covered by the Munitions List . . . then being a member of the press [or 
an academic] does not provide you with any sanctuary. . . . You can 
still be prosecuted.” But what about the First Amendment? he asked. 

“That freedom carries with it a responsibility to comply with the 
existing legislation and regulations” was Charles Ray’s interpretation 
of the U.S. Constitution. 

A month later, Bernstein finally reached Ray’s boss, William Robin- 
son, who confirmed that a CJ would be required before Bernstein 
could distribute his work. Subsequent conversations with government 
officials were even more frustrating. Not only was Internet posting 
forbidden, but Bernstein might be prosecuted even if he placed a copy 
of his paper in a public library. Of course, the National Security 
Agency became involved, as it always does in export cases of new 
crypto systems. Eventually, Bernstein managed to have some conver- 
sations with NSA representatives, learning that behind the Triple 
Fence some people considered Snuffle “strategic.” This meant, he 
inferred, that it was not trivial to break. “They offered to help me 
rewrite it to make it not strategic,” says Bernstein, but he deemed such 
a move counterproductive. 

So he’d play the game. In September 1992, Bernstein filed for five 
separate CJs. He’d broken the problem up into different versions — 
ranging from English-language descriptions of the system to mathe- 
matical formulas — “to see where they’d draw the line.” Could the 
government consider each one a “defense article”? He still maintained 
a belief that at some point the fog would clear from a bureaucrat’s eyes 
and he would finally realize that Snuffle was simply one graduate stu- 
dent’s academic work, not a weapon. But in October 1993, the gov- 
ernment replied that yes, each one of his mathematical formulas was 
a weapon, “subject to the licensing jurisdiction of the Department of 
State.” 
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Bernstein hadn’t begun the process as a rabble-rouser, but now he 
was himself thoroughly roused. He continued to pursue the case with 
a methodical patience that would prove devastating to the U.S. gov- 
ernment’s eventual defense of its export regulations as they applied to 
Snuffle. He appealed the first CJ. When months passed without a 
response, he decided that he needed help. 

His benefactor was John Gilmore, no stranger to court battles 
against the government. The senior cypherpunk already had accumu- 
lated a file cabinet’s worth of documents with Freedom of Information 
requests originally withheld but later kicked loose by legal appeals. 
Gilmore referred Bernstein to a lawyer named Cindy Cohn, who took 
the case pro bono (the Electronic Frontier Foundation helped with the 
costs and coordinated the effort with supplementary counsel) . In early 
1995, Bernstein and the EFF filed a complaint against the State 
Department, charging that the export laws were unconstitutional. At 
the center of the case was the contention that Bernstein’s computer 
source code was a form of speech, and that by preventing its publica- 
tion, the government was denying Bernstein’s right to express himself. 

That 1978 opinion — that the regulations might flout the First 
Amendment — was finally about to be tested. But few thought that a 
judge would resist the government’s inevitable claim that the export 
laws were crucial to national security, and that striking them down 
would unleash the modern-day version of the Four Horsemen of 
the Apocalypse: drug dealers, kidnappers, child pornographers, and 
terrorists. 

The case was tried before Judge Marilyn Patel in the Northern Cali- 
fornia District Court. One of her first acts did not seem promising for 
the plaintiff: she ordered the trial exhibits sealed, since the export rules 
forbade their distribution. But as the case progressed, Judge Patel 
proved to be more than sympathetic to Bernstein’s claims. Perhaps 
sensing this, the government tried a number of tactics to get the suit 
out of her court. It reversed itself on two of the five CJ determinations, 
admitting that those particular mathematical decisions were simply 
“technical data.” It argued that Judge Patel’s court had no jurisdiction 
in matters involving export law. It filed for immediate dismissal. But 
on April 27, 1996, Patel decided the case should proceed. The reason 
was enough to make a government regulator’s blood run cold: Judge 
Marilyn Patel had determined that at least part of the encryption 
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export control rules was indeed unconstitutional. Furthermore, she 
accepted the Bernstein team’s assertion that computer source code 
could be considered a form of speech. Which meant that the much 
stricter First Amendment rules regarding prior restraint applied to 
Snuffle. As far as Judge Patel was concerned, this wasn’t about keep- 
ing a weapon within our borders. It was about illegally suppressing 
an opinion. That summer, Patel officially affirmed her preliminary 
decision. 

The government appealed to the higher Ninth Circuit court. By 
then Bernstein had received his doctorate and was teaching at the Uni- 
versity of Chicago. He wanted to teach a course involving cryptogra- 
phy, but because of the continuing case, he required a government 
waiver to do so. It took another judicial ruling before he was finally 
permitted to distribute materials about his work — and then only to his 
students. The course was taught without discernible damage to the 
nation. 

But still the case dragged on. Oral arguments before a three-judge 
panel were scheduled for December 1997. Conventional wisdom had 
it that the appeals court would strike down what was seen as an impu- 
dent ruling from a judge who, after all, sat on the bench in wacky 
San Francisco. But in the packed courtroom, a rather harried gov- 
ernment lawyer, a man of baby -boom vintage with experience be- 
fore higher courts, was questioned harshly by the judges. The panel 
seemed more impressed with Bernstein’s advocate, Cindy Cohn, a 
diminutive woman in her early thirties, who, despite an occasional 
wavering in her voice, presented her arguments forcefully. One unex- 
pected point she made was that by preventing publication on the Inter- 
net, the government was failing to heed the recent Supreme Court 
decision that struck down a law known as the Communications 
Decency Act: the court had ruled that the Net was a beacon of democ- 
racy entitled to the highest level of First Amendment protection. Cohn 
also urged the judges to consider the implications of not allowing 
crypto to thrive: was it proper for the government to deny the tools 
that citizens might use to safeguard their privacy? 

The three -judge panel pondered the case for more than a year, not 
handing down their ruling until May 1999. For Daniel Bernstein, it was 
worth the wait. By a two to one margin, they issued a broad opinion 
that not only affirmed Patel, but also went even further in celebrating 
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cryptography itself as a vital component of democracy. Crypto should 
not be merely a state secret, they wrote, but also a protector of the peo- 
ple’s privacy. Somehow these two technologically unschooled jurists 
had gotten it. “Government attempts to control encryption . . . may 
well implicate not only First Amendment rights of cryptographers,” 
wrote Judge Betty Fletcher, “but also the constitutional rights of each 
of us as potential recipients of encryption’s bounty.” 

Encryption’s bounty? Judge Fletcher was a cypherpunk in robes! 

The afternoon that the decision came down, Bernstein was proc- 
toring a calculus exam in Chicago. Only afterward, when he checked 
his e-mail, did he learn that he had clobbered the government. 

The government appealed of course — but the export rules it was 
defending were looking less and less likely to survive. For years, the 
crypto dike had held admirably. But now it was crumbling. 

It was endgame for the government. 

Oddly, the NSA no longer appeared to be the prime obstacle to 
a solution — behind the Triple Fence one could discern a sense of 
resigned acceptance of the new crypto reality. Clint Brooks himself 
was no longer on the front lines, but ultimately the institution he 
served had come to accept his idea of change. Maybe its leaders rec- 
ognized that instead of trying to hold back progress, their efforts 
might be better spent trying to prepare for the inevitable. Probably, 
when the NSA cipher wizards had really thought about it, the putative 
nightmare of crypto everywhere was something they felt they could 
handle — if they were granted more funding, of course. Perhaps, as 
Robert Morris hinted in his Crypto ’95 speech, and the cypherpunk- 
cracking effort had indicated, these shiny, “uncrackable” programs 
created by the private sector really weren’t so uncrackable after all, 
and the NSA was satisfied at its ability to get plaintext when it needed 
to. One caper funded by the Electronic Frontier Foundation had been 
particularly telling: a team of engineers led by John Gilmore and Paul 
Kocher had built a DES -cracking machine for $210,000. (DES, of 
course, was still deemed a munition too hazardous to send abroad in 
normal circumstances.) In a demonstration at a 1998 crypto confer- 
ence, the device produced the plaintext to a DES message in less than 
twenty-four hours. Obviously, if such machines were produced in 
bulk, obtaining such keys would be dirt cheap. One had to assume that 
the NSA had plenty of similar units in its basement. 
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In any case, it was the FBI, particularly its director Louis Freeh, 
that kept urging a hard line — even to the point of continuing to insist 
that the bureau should have access to plaintext even at the cost of 
regulating crypto within U.S. borders. Freeh had finally managed to 
get a version of the Digital Telephony bill passed, presumably forcing 
the telecommunications industry to design its products to be wiretap 
friendly. (Congressional opponents of the concept, however, had 
foiled its intent by refusing to budget the hundreds of millions of dol- 
lars needed to implement the effort.) But Freeh continued to fear that 
crypto would be the death of wiretapping. Since 1994, he had been 
demanding publicly that if his agents were unable to get plaintext from 
their wiretaps, Congress should institute a new era of prohibition by 
banning unescrowed strong encryption. “The objective is to get those 
conversations, whether they’re [conducted] by alligator clips or [by] 
ones and zeros,” he said. “Whoever they are, whatever they are, I need 
them.” But Freeh was no longer a Clinton administration favorite, and 
White House officials shrugged off his remarks. 

Not that the administration had given up its hopes of stemming the 
cipher tide. It’s just that with each iteration, its anticrypto vision got 
flimsier and flimsier. White House apparatchiks insisted that the 
changes were all in the spirit of A1 Gore’s willingness to work with 
stakeholders in the crypto world to find the proper balance between 
codes and snoops. But the only direction that Clinton’s people were 
going was backward. “The boat was getting shelled,” Mike Nelson 
admits. The surest sign that a policy is in big trouble is when the words 
used to describe it are so discredited that they require euphemisms. By 
1997, the word “escrow” became verbum non gratum, despite the fact 
that thousands of Clipper-equipped phones had now been purchased, 
their keys gathering digital dust in the prescribed escrow facilities. 
Now the stated goal was called key recovery. A policy that began with 
the firm controls of Clipper — secret algorithms in tamperproof hard- 
ware, government -controlled escrow facilities — had been modified to 
a software -based scheme where users could choose their own, pri- 
vately run escrow facilities. Another compromise: the formerly top- 
secret Skipjack algorithm was finally made public. “We’re not stupid,” 
one administration official later explained. “We listened to the mar- 
ketplace.” But the marketplace — meaning real people trying to buy, 
sell, and use crypto — didn’t want any part of an escrow scheme. 
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Meanwhile, Congress was discovering the confidence to follow 
that market, rather than fall prey to the administration’s doomsday 
scenarios. Probably the most important factor was the rise of a well- 
organized lobbying effort by the computer industry. Since (now for- 
mer) Representative Maria Cantwell’s kamikaze run at the export 
laws, the high-tech crowd had learned a lot about what the white-shoe 
contingent could do for them. Regulatory warriors like Bruce Heiman 
of the Business Software Alliance had made crypto their cause celebre. 
Their alliances with civil liberties groups like the Electronic Privacy 
Information Center, EFF, and the Center for Democracy and Tech- 
nology gave them populist street cred. The lobbyists met with crucial 
administration officials so often that either side could flawlessly com- 
plete the other’s sentences. And they cleverly identified the legislators 
who would promote procrypto bills, not so much in anticipation of 
actually passing them, but to increase the already considerable pres- 
sure for strong-crypto detente. The lobbyists’ prize converts were a 
conservative Republican from Virginia, Robert Goodlatte, and a new- 
economy Democrat representing Silicon Valley, Zoe Lofgren. Good- 
latte in particular was a firebrand on the issue, a newly born crypto 
head in pinstripes. “The first thing we did was have him spend time 
with the NSA on this, so he could hear the point of view from the other 
side,” says Heiman. After being inoculated by a full-contact classified 
briefing, Goodlatte then was served the alternative reality: crypto was 
already abroad, industry was in danger of losing billions, and so on. 
Once the congressman adopted the outsider’s vision, he appeared so 
often with Internet industry leaders that it was a shame he was ineli- 
gible for stock options. 

Helped by a newly formed industry group called Americans for 
Computer Privacy (those “Americans” were thirteen corporations 
including RSA, IBM, Novell, Sun, and Microsoft), Goodlatte and 
Lofgren educated their colleagues on the political benefits of support- 
ing strong crypto. In the Senate, the unlikely crypto crusader Conrad 
Burns of Montana took on the administration, backed by privacy- 
savant Patrick Leahy and the senator from Microsoft, Washington’s 
Patty Murray. 

A dramatically different variation on The Briefing was coming into 
vogue in congressional hearing rooms. Instead of shrouded conversa- 
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tions about maintaining our successes in codebreaking, witnesses 
were warning of potential disasters caused by outsiders screwing up 
our own systems — which were vulnerable, in part, because the world’s 
most advanced technological nation had failed to adopt strong crypto 
to protect those systems. Every corruption of a Web site and theft of 
on-line credit-card numbers seemed to reinforce those fears; the con- 
clusions of the National Research Council were finally resonating. Even 
the FBI’s Web site got hacked! Capitol Hill was suddenly abuzz with 
the prospects of a “digital Pearl Harbor,” where hackers, terrorists, 
and hostile nations would grind our society to a halt by shutting down 
computer-controlled functions like the electrical grid or weapons sys- 
tems. And though there was no magic bullet that might shore up our 
defenses, we did have a powerful tool to protect ourselves: strong crypto, 
the very thing that the administration had been trying to suppress! 

By 1 999, an emboldened Congress was finally rallying around the 
SAFE bill, the three-year-old proposed legislation to relax the export 
rules. In fact, a majority of the House — 258 members — had signed on 
as cosponsors. In the Senate, the news for the administration was no 
better. Its leader in the fight against relaxed export controls had been 
John McCain, the former Vietnam prisoner of war whose credibility 
on such matters was unimpeachable. A bill McCain and Senator Bob 
Kerry had introduced in June 1997 would deny the services of any 
future government -sponsored “certificate authorities” (agencies to 
distribute and authenticate public keys, a necessary component in a 
full-blown crypto infrastructure) to those who refused to escrow their 
keys — potentially giving citizens the choice of either using Clipper- 
type schemes or losing their ability to participate in the electronic soci- 
ety. But by 1999, McCain had looked more closely at the issue (and 
perhaps its impact on his pending presidential run). In a stunning 
switcheroo, McCain suddenly turned into Mr. Crypto, a vocal sup- 
porter of the SAFE bill. 

Was it time for the administration to finally toss its export forms in 
the air and yell “ciphertext”? Apparently so. Even though the admin- 
istration never really believed that Congress would pass a bill demand- 
ing liberalized exports — the system was too convoluted to tackle, the 
risk of compromising national security too dicey, and in any case there 
was always the promised presidential veto — the White House was 
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distressed and anxious that votes in the subcommittees kept the issue 
alive. More to the point, the Clinton people began pondering the 
potential consequences of a national disaster resulting from a lack 
of crypto — for which they could be blamed. Sure, allowing crypto 
exports could be dangerous, they figured, people may die . . . but on 
the other hand, if someone attacked an unprotected digital infrastruc- 
ture . . . people may die! As one White House policy maker later 
explained, it came down to how they would die: “Do you want them 
shot out of the sky with a surface-to-air missile, or do you want the 
floodgates on the Grand Coulee Dam to be rewired?” If the whole 
issue boiled down to six of one against half a dozen of the other, what 
was the sense of fighting such a thankless, uphill battle? 

In September 1999, A1 Gore — himself preparing for a run at the 
White House — announced that a new set of regulations would be 
unveiled in December: the net result of which would be permission to 
export consumer-directed crypto products in any key length. So dras- 
tic a change was this that upon being briefed on the policy, Curt Wel- 
don, a Pennsylvania congressman who had carried serious water for 
the administration in fending off the SAFE bill, could not contain him- 
self. How can you be implementing this policy? he shouted. For years, 
you’ve been telling us that exports of strong crypto will compromise 
security and empower criminals. And now you’re telling us you’ve 
changed your minds? 

“It’s over,” concluded Stewart Baker, who since leaving the NSA in 
1994 had returned to his law firm to practice cyberlaw. Some sus- 
pected that the whole thing was yet another government stalling tac- 
tic; at the last moment, the regulators would unveil a plan loaded with 
fine print that represented very little change. Just like Lucy snatching 
away the football when Charlie Brown was ready to boot it, they imag- 
ined, the NSA and the FBI would once again deny the crypto com- 
munity the ability to export strong keys. But by now it was clear that 
the game could have fewer and fewer iterations before Charlie would 
finally, inevitably put toe to pigskin. 

This time, in fact, the government made good. The first draft of the 
regulations seemed to dictate an alarming amount of red tape before 
strong crypto could be granted an “automatic” exemption — but tact- 
ful yet firm opposition from the Goodlatte-Lofgren faction and the 
industry led to a more commodious second draft. Not perfect, but suf- 
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ficiently straightforward to assure even the paranoid that this time the 
good stuff could be sent abroad. No longer was a 56-bit DES key, or 
even keys of 64, 80, 128, or more bits, regarded as a deadly weapon. 
If was official: public crypto was our friend. 


A few days into the new millennium, it was time for the tenth - 
anniversary gathering of RSA’s annual cryptography conference. The 
gathering now had outgrown San Francisco’s largest hotels and was 
held at the mammoth San Jose Convention Center. It had become a 
huge crypto bazaar with a conference program with five separate 
tracks of seminars and over ten thousand people in attendance. 

Almost every year at the show, one of the keynote sessions tracked 
the progress, or lack of progress, of cryptography in the political 
realm. It would play out almost like Kabuki theater, with aggrieved 
representatives from the commercial, academic, or civil liberties 
world griping about the intransigence of the government. Then some 
unlucky emissary from the administration — an assistant attorney gen- 
eral, an NSA lawyer, a White House techno-policy wonk — would lec- 
ture an unforgiving crowd about the ineffable balance between privacy 
and national security, perhaps inflaming the gathering by an ill-placed 
“If you knew what we know” reply to one of the inevitably hostile 
questions. But this year it was different. Jim Bidzos came to the 
podium with a bottle of champagne, offering it to the people from Jus- 
tice and the NSA on the panel. The fight is over, he was saying, and 
our guys won. 

Bidzos himself was no longer working full time, partly as a conse- 
quence of the June 1996 acquisition of RSA Data Security by an 
East Coast computer security firm called Security Dynamics. (Weeks 
before the January conference, the purchasing company decided to 
change its name and was now called RSA Security, Inc.) The price tag 
was around $300 million, of which Bidzos himself took in $40 million. 
Some think that the sum might have been even higher — or RSA might 
have been able to pull off its own billion-buck Internet IPO- — had it 
not been for the acrimonious breakup of Public Key Partners, when 
lawsuits flared between RSA Data Security and its partner Cylink. The 
people at Cylink had become unhappy with the arrangement, and also 
frustrated that the original agreement did not allow them to exploit 
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RSA technology freely in their own products; they went so far as 
to challenge the validity of the MIT patent on the breakthroughs 
of Rivest, et al. (A remarkable action, since Cylink, through PKP, 
received a share of the royalties from that patent.) Bidzos and his col- 
leagues, meanwhile, were livid that Cylink had developed an RSA- 
based product for the global transaction clearinghouse SWIFT. The 
suits were finally settled in late 1996, with the assistance of a federal 
judge. Both sides claimed victory at the complicated settlement (Bid- 
zos noted that there were no findings that RSA had acted improperly) 
but valuable energies had been expended — while the patents them- 
selves inched closer to their expiration dates. 

Not long after the sale, Bidzos figured he’d be happier with less 
involvement in the firm. He’d moved into a Marin County mansion, 
owned a sleek posse of BMW motorcycles, sampled exotic bottles of 
wine, practiced classical guitar, flew his minifleet of airplanes, and 
checked on his impressive stock portfolio. Investments had made him 
a millionaire many, many times over — his personal stake in the 
VeriSign digital certificate company alone (which he cofounded) was 
worth more than the money he cleared in the RSA sale (a stake that 
had itself now grown to over $100 million). His main job was now as 
a quasi-ambassador of the commercial crypto cause, and his main visi- 
bility came at the annual conference. 

Diffie was there, of course. Still unrepentantly longhaired and strik- 
ingly bearded, he cut a startling figure in one of his bespoke suits. 
Though not wealthy by Silicon Valley standards, the few million dol- 
lars he had received from his patents and RSA stock made him quite 
comfortable. He and Mary Fischer were still together, still very much 
in love, though their one-time petting zoo was now down to two 
Tibetan mastiffs. 

Rivest, Shamir, and Adleman attended as well. Rivest was now a 
well -respected graybeard, still on the MIT faculty but wealthy from his 
RSA holdings. He was still doing original crypto research. Shamir was 
even more active in the field, brainstorming everything from systems 
for digital cash micropayments to a new computer that could factor 
huge numbers. But Len Adleman was pretty much out of crypto, 
working instead on schemes that combined mathematics with organic 
chemicals, like DNA computers. 
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Some key cryptographers and figures in the struggle didn’t make it 
to San Jose for the event. Ralph Merkle, too busy with his work at 
Xerox PARC in the field of nanotechnology, couldn’t find the time to 
accept an award bestowed by RSA for significant contributions in the 
field. And Ray Ozzie was immersed in the development of his first 
major project since Notes: within weeks he would receive — fifteen 
years after his first frustrating contacts with the NSA — export clear- 
ance to ship 2048-bit RSA keys, 256-byte RC-4 (yes, byte — eight 
times more than bits!) keys, and, by the way, clearance for plain old 
DES as well. 

Another unfortunate no-show was David Chaum. Had he attended, 
he might have seen plenty of things he liked. Anonymous crypto solu- 
tions like Chaum’s were increasingly cited as an antidote to the 
unwanted transmission of personal data. One start-up prominently 
displaying at the conference trade show was a Canadian company 
called Zero Knowledge that sucked up millions in venture capital to 
launch its “Anonymizer,” a Web site that allowed people to surf the 
Net without leaving their digital footprints behind. 

And though Julf Helsingius didn’t venture from Finland for the con- 
ference, his ideas still flourished. At the monthly cypherpunks meeting 
held the weekend before the event, there was the usual discussion of a 
new generation of remailers called “mixmasters,” which used an 
improved technology to make encrypted anonymous Internet messag- 
ing easy to use and devilishly difficult for governments to unravel. 

Phil Zimmermann, however, did manage to attend the conference. 
On January 11, 1996, the government had officially dropped its inves- 
tigation of him and his co-target, Kelly Goen. To celebrate, Zimmer - 
mann’s wife had tossed a “Phil Got Off the Hook” party at the Rocky 
Mountain Peace Center. Not long afterward, Zimmermann decided to 
move to Silicon Valley and start a company, Pretty Good Privacy, Inc., 
to produce the software commercially. (An RSA lawsuit filed against 
the new company for copyright infringement was eventually settled, 
with PGP paying normal royalties for public key protocols.) But PGP, 
Inc. was short-lived. Admittedly the kind of guy who couldn’t balance 
his own checkbook, Zimmermann turned over the operations of his 
company to businesspeople who went through millions of dollars in 
barely the time it takes to calculate a long prime. The new company 
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acquired other firms, had splashy displays at trade shows, and pursued 
an overly ambitious plan of transforming itself into a full-service secu- 
rity giant. Finally, the nearly broke company was sold to an established 
personal computer security firm, Network Associates. Zimmermann 
was kept on as the official head of PGP, but his contribution came not 
so much as a software developer but as a living symbol of strong cryp- 
tography. It was in that iconic role that Phil Zimmermann attended the 
2000 RSA conference; his best moment came at a Network Associates 
party on the event’s second night. Standing at a computer keyboard, 
he made a big show of mouse clicking a file transfer that launched a 
copy of commercial PGP abroad. Only a few years earlier, the gov- 
ernment wanted to throw him in jail for the same alleged act. 

Later in the conference came a series of sessions focused on a so- 
called crypto bakeoff run by NIST to choose a successor to the now- 
ancient Data Encryption Standard. In contrast to the selection of 
DES, which was made after closed-door meetings with its creators 
and agreements to keep its design principles secret, the Advanced 
Encryption Standard was being run as an open competition, with the 
winner to be chosen by 2001 . Not only the algorithms themselves but 
also the design considerations were completely public. All, as required 
by NIST, were much stronger than DES, with minimum 128-bit keys. 
It would have been difficult to argue for strong restrictions against the 
export of the algorithm in any case, since more than half of the con- 
tenders were written by cryptographers outside the United States. 

It had taken more than twenty years since Whit Diffie’s discovery — 
so long, in fact, that in just a few months into the new century, the 
suite of patents covering public key and RSA would one by one reach 
their expiration dates — but the era that Diffie had dreamed of was 
finally beginning. In a keynote speech following Bidzos, a vice presi- 
dent at Microsoft announced that its new operating system, Windows 
2000 — variations of which would undoubtedly find their way into 
almost every personal computer sold in the new century — would have 
128 -bit crypto built in, with government clearance to export it. And 
Apple Computer was already shipping strong crypto in its new oper- 
ating system. 

And, of course, crypto was already a component in every Web 
browser, enabling the secure transfer of credit-card numbers and 
financial information. In 2000, there would be over $80 billion worth 
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of e- commerce transactions — a number that was estimated to eventu- 
ally shoot into the trillions; virtually all of that was protected by RSA 
crypto. And later that year, a national digital signature bill would be 
passed, finally clearing the way out of the logjam caused by the admin- 
istration’s foot-dragging back in 1992. President Clinton would sign 
the bill electronically. 

The once -forbidden technology was suddenly the new panacea. It 
was envisioned that the solution to the pirated, downloading of music 
and films would be . . . crypto. In addition, crypto was the secret sauce 
of protected corporate discussions used in “virtual private networks,” 
a hot business trend that allowed snoop-proof conferencing. The 
movement of medical records to the on-line world would be possible 
only with crypto. And crypto was expected to be an essential compo- 
nent in the next generation of the Internet, where all of us would com- 
municate with non-personal-computer “devices” ranging from 
palmtops to phones to kitchen appliances. We would be wired and 
wirelessed up the wazoo, and crypto would be our privacy safety net. 

To be sure, its revolutionary impact would be stealthy. The hun- 
dreds of millions already using it in browsers and operating systems, 
for instance, knew nothing of Whit Diffie and the others, even as their 
machines silently made key exchanges and scrambled, unscrambled, 
and successfully completed transactions with secrecy that would stag- 
ger the medieval occultist Trithemius, stun autokey wizard Vigenere, 
and perhaps bring a wistful smile to Lucifer’s creator, Horst Feistel. 
Why didn’t it happen sooner, as Diffie had expected? Because it 
wasn’t until the Internet that it had to happen. 

So there was reason to celebrate at the 2000 RSA conference. But 
those wondering why the turnaround had come so quickly would have 
found a succinct answer one year earlier — same season, same place, 
at the 1999 conference. That event had opened with the soaring vocal- 
ists of the Oakland Interfaith Gospel Choir. Decked out in electric 
blue robes, they filed onstage, booming out a holy-roller version of the 
rock song “I Still Haven’t Found What I’m Looking For.” The lyrics 
had been changed to refer to the long struggle for widespread, strong 
encryption. But when Jim Bidzos himself hit the stage, similarly be- 
robed, his preacherlike testimony presciently claimed that the clouds 
were parting, the rainbow just ahead. If not crypto anarchy, he knew, 
crypto ubiquity was on the way. He realized that for all those years 
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he’d been flogging the public key dream, he’d been pushing a boulder 
uphill. But the problem hadn’t been only the government or the export 
regulations, but the product itself. Public key cryptography was a 
mathematical marvel, but it had actually been born too soon. Twenty 
years ago, it was a solution whose problem hadn’t fully materialized. 

No more. Not when every desktop had a computer on it and was 
connected to the Internet. Not when nearly every lap had one of 
the things, too. Not when phones were beginning to get hooked to 
the World Wide Web, along with set-top television boxes, and even 
videogame consoles. Certainly not when all those Net-connection 
devices were being used to shuttle everyone’s private information, and 
even their credit cards. Especially their credit cards. 

Jim Bidzos looked at his audience and made his own joyful gospel 
sound: “We’ve found the problem to the solution,” he said, “. . . and 
it’s e-commerce!” 


epilogue: the open secret 


flashback to 1969. Whitfield Diffie is just beginning to cogitate on 
cryptography. Marty Heilman isn’t working at Stanford yet. Ralph 
Merkle is still in high school. The world of high-level codes is owned 
and operated by intelligence agencies. And would be, until the inven- 
tion of public key by Diffie, Heilman, and Merkle, and its implemen- 
tation by Rivest, Shamir, and Adleman. Their mind-blowing ideas that 
would smash the monopoly of the spooks were years away. 

James Ellis wasn’t the type to call himself a spook. True, he 
worked for General Communication Headquarters (GCHQ), the 
British counterpart to the National Security Agency. But he preferred 
to describe his agency, along with its NSA cousin, as “the closed com- 
munity.” He was a member of a clan driven by patriotism, pride, and 
the simple need to bring home a paycheck. If brilliant work was done, 
it would be acknowledged privately, within the bounds of the secret 
society. James Ellis’s brush with brilliance was a prime example. He 
was the real inventor of public key cryptography. And for almost thirty 
years, virtually no one knew it. 

Ellis’s colleagues would never have pegged him as a likely candidate 
for a breakthrough that could change the very rules of their science. 
He was seen as capable of good ideas but at heart more of a dreamer. 
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Some thought him a borderline wacko. He was an Australian-born 
orphan who had been raised by grandparents in the East End of 
London. He’d joined GCHQ, located in the Cotswolds town of Chel- 
tenham, in the 1950s, after attending Imperial College. Ellis under- 
stood that he was entering a world where communication about one’s 
work with the outside was strictly forbidden, now and forever. The job 
was to work for one’s country; dreams of personal ambition and pub- 
lic recognition were to be put aside. “The fullest value of cryptogra- 
phy is realized by minimizing the information available to potential 
adversaries,” Ellis would write. “Professional cryptographers normally 
work in closed communities to provide sufficient professional interac- 
tion to ensure quality while maintaining secrecy for outsiders.” 

This sounds rather lofty, but in truth Ellis’s assignment did not place 
him in the white-hot center of international intrigue. “I think in some 
ways,” says Malcolm Williamson, who as a future colleague would 
have his own role in this story, “he was sort of sidetracked. At least my 
impression was that he was working on not really critical stuff and not 
really slated to be in charge of big projects or anything like that.” 

“He was an almost classic English eccentric: nice, disorganized, 
shambling around,” says Nick Patterson, who arrived at GCHQ in the 
late 1960s. “Some managers wrote him off as a nutcase, but he was 
full of ideas. Half of them were ridiculous, but half could be brilliant.” 

Most people, though, saw only the strange fellow who habitually 
spooned instant coffee from a hand-mixed jar containing Nescafe and 
sugar — he thought it was less efficient to add the sweetener every time 
he made a cup. Another obstacle to the recognition of his talents was 
an inability to express some of his insights clearly. “He was the worst 
technical public speaker I’d ever seen,” says one colleague. “Listeners 
would consider his talks an absolute ordeal. Ellis would typically begin 
a talk by apologizing that he’d been asked to give a presentation on 
something he knew nothing about, then he’d go on for twenty minutes 
in some bizarre direction. But then — and this is why his talks were 
attended at all — without fanfare, he’d slip in something amazing.” 

Ellis himself was somewhat bitter that one of the best ideas he’d 
ever had had been wasted. A longtime fanatic of radio design, he had 
come up with a certain kind of audio circuit that would provide better 
reception. He actually patented his idea, and a company offered to try 
building it into its radios. But apparently the company’s engineers, 
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under orders to save money by cutting down on components, 
butchered his design. As a result, the radio reception was unexcep- 
tional. The fiasco was always a sore point with Ellis. 

In 1969, Ellis, then in his forties, was working in the part of the 
agency called Communications Electronics Security Group (CESG), 
in what was probably the most appropriate position for him: a group 
of maybe a half dozen researchers working on long-range projects. 
Blue sky stuff. He had just rejoined CESG as a senior scientist after a 
stint at the post office, presumably helping on security issues. And now 
he found himself working on a problem that most people believed was 
unsolvable. 

In the 1960s, the intelligence establishment was just beginning to 
consider the revolution in computers and wireless technologies, and 
the subsequent huge demand to provide protection for government 
communications that went over these channels. But while devices to 
perform encryption had gotten cheaper, one part of the process hadn’t 
changed fundamentally since World War II. This was the means of dis- 
tributing and holding cryptographic keys. The restrictions needed to 
protect those keys acted as a bottleneck: for every two people wishing 
to communicate securely, a brand-new secret key had to be generated 
for that particular conversation. Thousands of people were in the clas- 
sified loop; that meant literally millions of keys to move securely and 
protect. The problem was essentially the same one that would soon 
bother Whit Diffie: the hair -pulling complexity, and the security risks, 
that came from managing this vast number of keys. 

It was a tough problem, and of course no one expected James Ellis 
to solve it. After all, certain rules of cryptography seemed as firm as 
the laws of physics. And what law was more certain than the one which 
assumed that secret keys used to encrypt communications should 
never be placed in a position where outsiders could intercept them? 
But Ellis, according to another colleague, Clifford Cocks, “was the 
sort of person who, whatever the problem you’d give him, would 
always start by challenging the basic assumptions, coming up often 
with questions that pointed to the invalidity of the assumptions you 
were working on — assumptions that maybe were stopping you from 
getting the solution.” In attempting to crack the key management 
problem, almost any cryptographer would rule out of hand any solu- 
tion that involved sending secure messages when not only the method 
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of encipherment is known to the potential interceptor, but every trans- 
mission is assumed to be as equally accessible to the snoop as to the 
intended recipient. Including the transmission of key material. Even 
Ellis doubted that it could be done. “It was obvious to everyone, 
including me,” he later wrote, “that no secure communication was 
possible without a secret key, some other secret knowledge, or at least 
some way in which the recipient was in a different position from an 
interceptor. After all, if they were in identical situations, how could 
one possibly be able to receive what the other could not? Thus there 
was no incentive to look for something so clearly impossible.” 

Ellis would soon get that incentive. It was an unsigned paper that 
had long been buried in the mountain of secret material accumulated 
inside the boundaries of the shadow world. It described a project con- 
ceived by Bell Telephone during the final days of World War II, one 
that had been quickly classified and forgotten. The scheme was part of 
something called Project C43, a primitive yet ingenious experiment in 
analog voice scrambling. Say you want to send a message over a 
phone line and suspect that someone is listening. How can you keep 
the message secure? The anonymous Bell scientist postulated that the 
person who wants to receive the message should simply add noise to 
the line. When the message gets sent, it will be intermingled with the 
noise so that an eavesdropper will hear only garbage. But the reci- 
pient, who knows precisely how that noise was generated, may be able 
to subtract that noise from the transmission — and wind up with the 
original, unscrambled message. 

For purposes of modern cryptography, Project C43 was useless. 
For one thing, it was an analog model and now everyone used digital 
communications. But Ellis found it exciting: here was a system where 
the sender of a message didn’t have to worry about whether a poten- 
tial enemy was listening, even if the foe knew how the system worked. 
What made this possible, Ellis realized, was that, in contrast to con- 
ventional cryptography, the recipient is actually a collaborator in the 
process of encryption. “Secure communication,” Ellis would write, 
“was at least theoretically possible if the recipient took part in the 
encipherment.” 

Could such a system work with real-life digital cryptography? Ellis 
decided that the heart of the matter was a heretical issue: whether a 
secure, digitally encrypted message could actually be sent without any 
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keys being exchanged in advance. According to his later account, that 
actual question popped into his head one night after he had gone to 
bed. And only a few minutes later, he had his answer. 

Yes. 

Sitting there in the dark in his Cheltenham bedroom, he came up 
with an existence proof for the question. And his name for it would 
embody the contradiction: Non-Secret Encryption. 

Ellis’s scheme was centered around a set of three mathematical 
transformations. A recipient, Alice, would use two of these and a 
sender (hello again, Bob) would use a third. A third, unwelcome party, 
Eve, is a potential interceptor who also has access to these functions, 
since they are, in this scenario, public knowledge. The process begins 
by a crucial act suggested to Ellis by Project C43: the potential mes- 
sage recipient gets involved in the scrambling process. Alice starts by 
generating a large number chosen at random — this, in effect, is a 
secret key that only she holds. She does this by performing a certain 
mathematical function to transform the key to a different number. 
Then she sends that number to Bob. 

This new number is analogous to what Diffie and Heilman would 
later call a public key. Since an important property of the mathemati- 
cal function is that it cannot be calculated in reverse, even those who 
have this second, nonsecret number, and also know what function 
produced it, cannot do an inverse calculation to retrieve the first, 
secret number. This is something that will remain known only to the 
recipient, Alice. 

Now that Bob has this nonsecret number, he uses it with a second 
function to scramble the private message he has for Alice. Then he 
sends the scrambled message to Alice. How does Alice restore the 
message back to its original plaintext form? With the third mathe- 
matical function, she uses her original, secret key essentially to strip 
the encryption from the message. Alice can now read it, and Eve can 
do nothing but gnash her teeth. 

In effect, the nonsecret key acts like the line noise in Project C43: 
although any eavesdropper can hear the noise on the line, only the 
recipient knows how the noise was generated (this information being 
the equivalent of a secret key), and thus only the recipient can strip 
out the noise (or, in this case, perform the proper function) to restore 
the scrambled message to its original, clear form. By figuring out a 
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scheme that adapted the principles of that project to the digital age, Ellis 
had potentially changed the rules of cryptography. Since these non- 
secret keys did not have to be protected, it was possible to have secure 
communications without prior arrangement. This meant that field per- 
sonnel would not have to be provided with symmetrical keys before- 
hand, keys that then had to be fanatically protected. It was now possible 
to conceive of protected communications on a much vaster scale. 

It had not been Ellis’s specific assignment to create a revolution in 
cryptography, but now he had to deal with the possibility that he had 
done just that. Certainly, the very basis of the idea — its “nonsecret” 
element — was so seemingly antithetical to the practice of cryptogra- 
phy that, to some GCHQ muckety-mucks, striking down Ellis’s thesis 
was a blow for the natural order. 

In any case, the idea had to be vetted. In July 1969, a draft of Ellis’s 
paper was sent to the GCHQ chief mathematician, Shawn Wylie. If 
God was in His Heaven, surely the mathematics staff, or perhaps the 
chief himself, would find a fatal flaw in this system. It took months for 
their results to be reported, but just before Christmas that year, Wylie 
wrote his summation. “Unfortunately,” he wrote, “I can’t see anything 
wrong with this.” 

But, the mathematician noted, Ellis had come up only with a proof 
that such a system could exist — not the system itself. What was miss- 
ing was the means to assure that there was a secure way of generating 
a “nonsecret” key from the original private key. You needed to be sure 
that the Eves of the world, who after all would have free access to the 
nonsecret key, could not reverse that first process and discover the 
secret key. Ellis had conjectured a set of look-up tables that would 
perform the various scrambling and descrambling calculations, but 
had not come up with the specific functions themselves. Until they 
were discovered — and skepticism ran rampant that this was even 
possible — nonsecret encryption could only be seen as a curious theo- 
retical anomaly. And nothing more. 

“The conclusion,” says Clifford Cocks, “was ‘This is really won- 
derful, this is ingenious, it’s really clever, but how will we ever be able 
to make use of it?’ ” 

Ellis did not sugarcoat this problem when he formally wrote up 
the scheme in January 1970. But neither did he shy away from the 
implications of his idea. The internally published — and of course, 
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classified — paper was entitled “The Possibility of Secure Non-Secret 
Encryption” (emphasis added). “It is necessary to distinguish care- 
fully between fact and opinion, i.e., between that which has been actu- 
ally proved and that which seems likely,” he wrote in the conclusion. 
“It is particularly difficult to do this in this case because we have estab- 
lished something which, to most people, seems inherently impossible.” 
In fact, he continues, the concept is not impossible because he had 
“rigorously” proven that his scheme was “theoretically plausible.” 

Only one step was required, then, to produce a revolutionary means 
of encryption, and that was finding the proper mathematical func- 
tions. Not so easy. Ellis’s concern, even as he set about the search, was 
that his mathematical skills were not up to the task. (He was an engi- 
neer by training.) And despite the apparent advantages that a non- 
secret system would offer, GCHQ didn’t think it worthwhile to assign 
much brainpower to aid him in the quest. Still, at various times over 
the next few years, some CESG cryptographers would come across 
the paper and work on possible solutions. In 1971, a new chief scien- 
tist took an interest in the problem and did assign some people to 
spend a bit of time seeking a solution. But while those looking for the 
mystery functions developed an understanding of what the character- 
istics of such things might be, nothing they tried was successful. The 
high ground seemed to belong to those insisting that the whole con- 
cept was preposterous. 

It is unknown to what degree, if any, the N SA participated in this 
process. Dating from the collaboration of their respective predecessors 
in the days of Bletchley, GCHQ has shared confidential secrets with 
its so-called cousins in America. Yet there is no evidence that NSA 
efforts were being expended on nonsecret encryption at this point. The 
papers released by GCHQ indicate that the work in this field was lim- 
ited to those few CESG cryptographers who had access to the project 
and interest in playing with it. And as a solution seemed less likely, 
those were becoming fewer. 

That is where Clifford Cocks plays his role in the story. In 1973, 
Cocks was a recent CESG hire. Born of middle-class parents — his 
father was an accountant — Cocks had been bright enough to pass the 
exams for Manchester Grammar School, a competitive independent 
school with a solid academic reputation. From there, he had gone to 
Kings College, Cambridge, for an undergraduate degree in math. 
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Then he took a year of graduate study at Oxford, working on number 
theory. “I wasn’t making real progress,” he admits. So, where to 
work? Though he didn’t know much about GCHQ, and really hadn’t 
thought about cryptography as a focus for his work, he knew that the 
secret agency needed mathematicians. Also, one of his childhood 
friends, Malcolm Williamson, was already working for GCHQ. (When 
the government investigated Cocks ’s application, they took special 
notice of this, presumably fearing that there might have been some- 
thing sinister in the coincidence.) So, at age twenty-two, in September 
1973, Cocks entered the closed community. 

The prospect of not having papers distributed publicly did not 
bother Cocks. “I was happy about it,” he says. There would be no pres- 
sure to compete with the geniuses of academia. The lack of results in 
his student research led him to think that his contribution would lie 
more in the practical efforts he would devote to his government. 

When people arrived at GCHQ, they were given a mentor, “to teach 
you the ropes and tell you what you need to know,” says Cocks. His 
was Nick Patterson, another former Cambridge mathematician. Pat- 
terson, who had been a chess prodigy in his native Ireland, was him- 
self only a few years older than Cocks. But he had been identified as 
an up-and-comer. One day at teatime, about two months after 
Cocks’s arrival, Patterson mentioned Ellis’s idea. He presented it to 
the younger man not as a challenge to implement a new form of cryp- 
tography, but as more of a puzzle. “Nick explained it to me very 
mathematically, in terms of wanting a nonreversible function, with a 
property where you could encrypt and decrypt with the input of this 
function,” says Cocks, who thinks that it was an advantage that he 
didn’t actually see Ellis’s paper. This way he could approach the prob- 
lem with no preconceptions. Since he had done his research the 
previous year in number theory — working with large primes and 
multiplication — it made sense to him to use that knowledge to, he 
hoped, implement Ellis’s theory. 

“I suppose it was actually also helpful that I wasn’t doing anything 
that evening,” he adds. Because that night he walked back to the mod- 
est room he rented in Cheltenham, ate the dinner cooked by the 
woman who let him the room in her family home, and sat down to 
think. Because of the secrecy imposed by GCHQ in all things con- 
cerned with his work, he had certain limitations. He could not bring 


epilogue: the open secret | 321 


anything home from his office, and if he pondered a work-related 
problem “in digs,” he was not permitted to write anything down, not 
even notes on wastepaper. The only material he had was his brain. 
“Happily,” he said, “the first idea seemed to work just fine.” 

The idea was more than just fine — it was elegant. “If you wanted 
a function that couldn’t be inverted,” he says, “it seemed very natural 
to me to think of the concept of multiplying quite large numbers 
together.” Cocks figured that the secret “key” in his implementation 
would be two huge primes, generated on the spot by the recipient, 
Alice. The product would be the nonsecret key, the number given to 
the sender, Bob. (Bob could also find this number in a publicly dis- 
tributed directory.) Cocks then figured out a simple mathematical for- 
mula in which Bob could use that nonsecret number to encrypt the 
message in such a way that it could only be decrypted by a person who 
knew the original primes. 

The formula was virtually the same as what we now call the RSA 
algorithm. Clifford Cocks, in one evening, had produced what, three 
years later, would be rediscovered by three soon-to-be famous MIT 
mathematicians after a four-month period of intense trial and error. 

Clifford Cocks recalls that it was probably around seven or eight 
o’clock when the first public key implementation in the world was dis- 
covered. “This is very interesting,” he thought to himself. Then, after 
he had mapped it out in his head, he went to sleep. “I went back to 
work the next morning and wrote it down,” he said. 

He put the short paper on Nick Patterson’s desk and waited for his 
mentor’s reaction. Patterson, admitting to “an Irish excitability,” 
reports that “I went kind of crazy.” He literally dashed down the cor- 
ridor to the office of the Communications Security specialists forty 
yards away, flung open the door, and shouted, to the astonishment of 
the stodgy bureaucrats planted behind their desks, “This is the most 
important cryptographic discovery of the century!” 

That, however, was a minority opinion. Even Cocks at that time felt 
that it was more a clever solution to a math puzzle than a practical 
landmark. Certainly, as word began to get around CESG that some- 
one had found a way to implement James Ellis’s strange idea, no one 
treated it like the Second Coming or anything. “People said, ‘Ha, ha, 
now here’s a method,’ ” Cocks recalls. 

No one seems to remember the moment James Ellis heard about 
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Cocks’s discovery. “I think it would have happened that morning,” 
Patterson guesses. “He was very happy.” But Ellis was also cautious — 
fearful, perhaps, that GCHQ would still not treat the idea with the 
seriousness it deserved. Cocks himself does not remember his first meet- 
ing with Ellis, whom he would come to know in the coming months. 

Cocks got a go-ahead to write a paper on his idea, and he mentioned 
this to his friend Malcolm Williamson. (Even though Williamson was 
at the time living in the same house as Cocks, the conversation had to 
take place at work, since work-related exchanges were verboten out- 
side GCHQ walls.) This was sort of a one-up move, since it was fairly 
unusual for a young recruit to be circulating a paper so quickly after 
arriving. The announcement got Williamson’s attention, and he lis- 
tened closely as Cocks explained the problem he had tackled and how 
he had solved it. 

Williamson had known Cocks ever since he was twelve — he also had 
attended Manchester Grammar. Williamson, too, was of the middle class; 
his father was a salesman for a textile company. Since both Cocks and 
Williamson excelled at math, there had been a friendly, though unspoken 
competition between the two. Williamson also went to Cambridge — 
Trinity College, which boasted Newton among its alumni — then took 
some graduate work in topology at Liverpool University. One day he 
had an epiphany: if he did get his doctorate, he would be a math 
instructor all his life. He was currently teaching a class of engineers and 
was discouraged that none of his students could prove that the square 
root of 3 was irrational. “I couldn’t explain to them why they should 
care,” he says, “and I didn’t care that much myself. So I thought, ‘Why 
am I doing this?’ ” Around that time he saw an ad for mathematicians 
posted by GCHQ. Without knowing much about the agency, he 
replied, and found himself assigned to problems of cryptography. 

Williamson had not heard of the Ellis problem before, but it struck 
him as rather nonsensical. How could you do cryptography when 
you passed the key in the open? So he set about to shoot down the 
concept — to “disprove Cliff’s idea,” Williamson says. 

It was after dinner, in his room, that Williamson began his debunk- 
ing effort. “You try to reduce a problem to very basic general kinds of 
concepts, just sort of probe it,” he explains. “I didn’t manage to prove 
that there were any flaws in what he had.” 

But in the process, Williamson began considering different ways 
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that two collaborating parties could pass numbers back and forth to 
arrive at a key — a shared key that would be secure even if an eaves- 
dropper (some evil Eve) was monitoring every bit of the exchange. It 
was late at night when he finally got it — eight or twelve hours after he 
sat down to think, he reckons — but eventually he had a scheme of his 
own. It involved a complex set of exchanges in which each party would 
pick a random number, perform a calculation on it by a difficult- to - 
reverse formula, and finally arrive at a shared key. That Williamson 
was legally forbidden to write it down while at home — for, of course, 
as soon as it sprang out of his head it was instantly a state secret — 
did not bother him. “When you’ve got a concept that is right, you 
can’t forget it,” he says. “Everything follows logically.” Still, as his 
friend Cocks later recalls wryly, the next morning was the first within 
memory that Williamson arrived at work early. 

Williamson says that one of the first people he told about his break- 
through was Ellis himself, whom he knew only slightly at that time. He 
doesn’t remember much of the conversation, but does recall that in the 
weeks that followed, “James made me see it more clearly.” Still, it is 
indicative of the project’s relative unimportance in GCHQ’s view of 
things that Williamson didn’t actually write up his work for a couple 
of months. (He finished his memo in January 1974; Cocks’s work had 
been dated November 1973.) Not long after that, and after more con- 
versations with Ellis, he came up with another idea that further stream- 
lined the original concept. This is almost the precise formulation for 
what would later be known as the Diffie-Hellman key exchange. As far 
as Williamson is concerned, though, it was pretty much a consequence 
of the first paper, so obvious that he felt in no hurry to circulate it. “It’s 
slightly easier,” he says. “It really didn’t feel like such a big step.” 

Now GCHQ had not one but two means of implementing James 
Ellis’s heresy. But just as the agency had been suspicious of Ellis’s ini- 
tial plan, it moved ultra -cautiously with these two schemes. “First of 
all, we wanted to make sure it was secure,” says Cocks. 

Oddly, one factor ruling against nonsecret encryption was the pure 
beauty of Cocks’s scheme and Williamson’s second implementation. 
“It’s enticing and nice,” says Williamson, “but elegance is not what 
we’ve looked for before in cipher systems. There’s a basic principle 
that neat and tidy problems have neat and tidy solutions, and messy 
problems don’t have neat and tidy solutions. Now, most of cipher 
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design is essentially messy; it’s not neat and tidy and mathematical. So 
we’re pretty comfortable that people are not going to be able to break 
those things, because even if you hack away at it, you’re not going to 
suddenly find a little magic screw that if you unscrew it, everything 
falls to pieces. But in all this stuff with public key, there absolutely may 
be a magic screw. Some graduate student mathematician could really 
cause a disaster.” 

So concerned was GCHQ with this issue that it not only looked at 
the schemes internally — finding no inherent flaws — but also took the 
unusual step of going to a renowned outsider, professor R. F. Church- 
house, giving him the mathematics of Cocks’s idea and asking if it was 
secure. Churchhouse concluded that as long as no one figured out a 
fast way of factoring large numbers — something that no mathemati- 
cian had ever come close to — the scheme was secure. 

The agency ultimately figured that of the two methods, Williamson’s 
was preferable because its particular functions were easier to work with 
than the huge numbers that came with Cocks’s multiplication-based 
scheme. Even so, the system was judged to be impractical. “The 
machines that would be used were expensive and very slow,” explains 
Cocks. “It took minutes to generate [a key]. We looked at the circum- 
stances under which you would find it useful to have a machine that 
took that long to produce [keys] and immediately thought the applica- 
tions were too limited to make it worth floating.” 

Inside GCHQ, the conventional wisdom had shifted from It’s 
impossible to It’s impractical. And too many people were still terrified 
by the method’s “nonsecret” aspect. Perhaps, went the thinking, such 
a radically new kind of cryptography might have weaknesses too sub- 
tle to detect, weaknesses that an enemy might use to break the system. 

Even Malcolm Williamson believed that the whole venture was too 
risky. When he finally wrote up the revised version of his key scheme, 
he cited these reservations as the reason for the two-year delay. “I find 
myself in an embarrassing position,” he wrote. “Having written [my 
first paper], I have come to doubt the whole theory of nonsecret encryp- 
tion. The trouble is that I have no proof that the method ... is genu- 
inely secure.” Later in the paper, however, he complains that “I feel that 
there should be a flaw in the security of the method. But I cannot find 
anything wrong with it and would be grateful if anyone else can.” 
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No one did. But by then it had tacitly been concluded at GCHQ 
that it wasn’t worth the effort to implement a public key cryptosystem. 

In 1976, of course, Diffie and Heilman presented their findings, first 
in January (after circulating drafts informally even before that), then in 
their November revision, “New Directions in Cryptography.” This was 
followed in 1977 by the RSA paper. The authors won fame if not 
instant fortune. But by ethics and law, the GCHQ scientists could not 
let a word slip of the real truth. 

According to Cocks, James Ellis read the first paper, which outlined 
the idea but suggested no implementation, and said, “They’re where 
I was in 1969.” The Stanford team’s second paper, of course, did 
suggest a means of implementation — one identical to the Malcolm 
Williamson solution. (It is unclear whether the Diffie- Heilman papers 
led him to write up his second, “small step” in implementing it, but the 
paper is dated August 1976, some months after Diffie and Heilman’s 
first publication.) Cocks himself had temporarily left GCHQ for a stint 
at the ministry of defense, and first learned of the American discov- 
eries in Martin Gardner’s column in mid- 19 77 — the one that 
described the RSA algorithm that he had first discovered three years 
earlier. “I was surprised,” he says. 

Certainly by then, the British cryptographers were keeping track of 
their counterparts outside the shadow world. And later in 1977, it 
obviously caused them consternation when they learned that both 
Stanford University and MIT were, respectively, planning to patent 
the Diffie -Heilman and RSA algorithms — both of which were origi- 
nally conceived at CESG. Williamson in particular was outraged. 

“I tried to get [GCHQ] to block the U.S. patent,” he says. “We 
could have done that, but in fact the people higher up didn’t want to. 
Patents are complicated.” Specifically there was a question as to 
whether one could obtain a patent under British law for what was 
essentially a mathematical algorithm. And of course, there were secu- 
rity issues. It wouldn’t do for the GCHQ to let outsiders know 
what its people were thinking. “The advice we received was ‘Don’t 
bother,’ ” says Cocks. Williamson, who still believes that his bosses 
erred in this case, recalls the chief scientist eventually coming to him 
and saying, “No, we’re not going to block the patent.” 

So the shadow world kept quiet. 
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Thus, the timidity and isolation of what Ellis called the “closed com- 
munity” led to a creative failure: despite its head start, it essentially 
ceded the public key idea to the outsiders who used it to build not only 
an alternative community, but also an entire industry. (The first prod- 
uct known to have used public key technology coming out of the NSA 
or GCHQ was the former’s STU-III secure telephone, which rolled 
out in 1987, long after the Diffie- Heilman paper was published. By 
then RSA Data Security was on its way toward offering easy-to-use 
crypto solutions.) 

Also, by shunting the idea of public key cryptography aside, the 
government people were unable to see some of the most important 
aspects of their own discovery. Chief among them was the idea that 
public key cryptography was as valuable for its ability to authenticate 
message senders (the digital signature aspect) as it was for its encryp- 
tion properties. What’s more, in rejecting nonsecret encryption as 
impracticably slow, the agencies missed what turned out to be a simple 
solution to that problem: using the nonsecret algorithms in conjunc- 
tion with conventional, symmetrical -key systems. Once Diffie and 
Heilman published their work, it didn’t take long for creative minds in 
the private sector to figure out that these “hybrid” systems were the 
future of privacy technologies. 

This was only one of the public key-based innovations that were to 
arise from the freewheeling exchanges that occurred in an atmosphere 
of openness. There would be digital cash (anonymous or traceable), 
secret sharing, digital certificates, digital time stamping, electronic 
receipts, remote gambling . . . any number of amazing variations by 
academics, commercial scientists, and cypherpunks. As a result of 
these efforts, public key became ubiquitous, on every copy of Netscape 
and Lotus Notes, embedded in Windows and Macintosh, and, inevi- 
tably, in everyone’s wallet — with no thanks to the closed community 
and owing everything to the open one. 

Should GCHQ and its partners have worked harder to make the 
ideas viable? Could they have come up with some of those innovations? 
Perhaps. But while it’s easy to fault the intelligence community for not 
implementing their original ideas, there’s another side to the story. 

Looking at it from a national security point of view, prudence made 
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sense. It was one thing to implement a totally new system in the pri- 
vate sector, where using any kind of crypto to secure data was a nov- 
elty in itself. But doing so for government secrets, where reliable 
systems were already providing protection in life-and-death situations, 
posed a different kind of risk. “The government has to be very cau- 
tious,” says Williamson. “It’s much more important to secure some of 
this stuff than, say, banking transactions or Internet communications, 
or what the next model Ford is going to look like. If I were on the top 
of the pyramid then, would I have dared to implement it? What was 
the chance that somebody would find that magic screw that unlocks 
everything? ” 

Williamson also makes no apologies for the intelligence community’s 
failure to discovery any of the marvelous innovations that sprang from 
the original concept of the split-key system. GCHQ, the argument 
goes, was essentially a spy and security agency, and had no interest in 
developing the sort of technologies that would provide benefits to the 
public at large (even if the public does pay their salaries). “There’s 
a basic core of things the government has to do,” Williamson says, 
“and the rest is probably better done by private industry.” The only 
reason for the agency to keep working on the technologies was to see 
whether it could improve the sorts of activities that GCHQ was 
already performing. 

But by not exploiting nonsecret encryption, the intelligence people 
were quite possibly missing an important opportunity to do just that. 
In 1982, years after GCHQ had all the information it needed to imple- 
ment a public key system, the British agency suffered one of its worst 
scandals when an employee named Geoffrey Prime sold crucial infor- 
mation to the Russians. During that general time period, the NSA also 
had huge security failures, in infamous cases involving the Walker 
family, and Christopher Boyce and Andrew Lee. These involved the 
transfer of invaluable key material that wouldn’t have existed in a pub- 
lic key system. It wasn’t really surprising that the agencies could be 
compromised in this manner — after all, the difficulty in protecting 
these keys was a well -identified problem. The problem, in fact, that 
James Ellis had set out to solve. 

So why hadn’t the agencies moved decisively in exploring nonsecret 
encryption-based alternatives to their systems? In the final reckoning, 
nonsecret encryption was too much a departure from the norm. It 
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was radical and risky — appealing traits to an entrepreneur but terrify- 
ing ones to a bureaucrat. “You’ve got to remember,” says Malcolm 
Williamson, “this is the civil service. I mean, this is something new and 
different. ‘Let’s ignore it. Let’s sweep it under the carpet.’ ” 

Do the GCHQ scientists feel shortchanged at seeing others win 
acclaim for what they originally discovered? They claim not to, and 
believe they also speak for James Ellis on this point. “Ellis got internal 
recognition,” says Cocks, who himself feels perfectly comfortable with 
the situation. “You accept that [when you work for GCHQ], Internal 
recognition is all you get.” 

Williamson also rejects the idea that their silence was the raw end 
of a Faustian bargain cut when they entered the shadow world. To the 
contrary, he says that the disadvantaged ones are crypto people who 
don’t work for the government. “I sometimes wonder why people on 
the outside work on cryptography,” he says. “What’s their reason for 
it? Clearly, governments have good reason for this — they want to 
secure their own communications, they want to read communica- 
tions of other countries. Those are important jobs. Who would want 
to sit in a university and do that sort of thing? It’s sort of like being 
a shipbuilder and insisting on living in Iowa.” (Williamson himself, 
after some years working in the private sector, is now an American 
citizen — and is back in the shadow world, working for a nonprofit 
think tank that does classified defense work.) 

But James Ellis apparently had thoughts of his place in posterity. 
“His career wasn’t going anywhere,” says Nick Patterson. “I would 
guess he was frustrated and viewed it as he did his previous disap- 
pointment with the radio invention.” In 1985, he wrote a paper spe- 
cifically to set the general public straight on just who invented public 
key cryptography. In the opening paragraphs, he explains that while 
secrecy is utterly crucial in his business, there are circumstances when 
it can be put aside “in the interests of historical accuracy after it has 
been demonstrated clearly that no further benefit can be obtained 
from continued secrecy.” Given that, he continued, “it is now appro- 
priate to tell the story.” 

Clearly, he hoped to establish his claim. The paper itself ends by 
emphasizing, for anyone thick enough to have missed the point, that 
it was “some time after the basic work was done” that Diffie and Hell- 
man made what he called the rediscovery of the nonsecret encryption 
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techniques. But if Ellis hoped that his account would quickly find its 
way outside the closed community, he was to be bitterly disappointed. 
Year after year went by and his attempt to set the record straight 
remained classified. His superiors felt it was not time yet. Nor was it 
time five years after he wrote it. Or ten years. 

So why did they finally allow the papers to see daylight in Decem- 
ber 1997, twelve years after Ellis compiled the history and almost 
twenty years after a brainstorm that would shake cryptography itself? 
Cliff Cocks says that the impetus was a speech he was scheduled to 
give around that time, on a variation of what will always be called the 
RSA algorithm. But Malcolm Williamson is more frank on the issue. 
The papers were all ready to go, he says, but could not be published 
“until a certain person retired.” 

That retirement apparently occurred before December 23, 1997, 
when GCHQ finally posted the original papers of Ellis, Cocks, and 
Williamson on its Web site, along with the “History of Non- Secret 
Encryption” that Ellis had written in 1985. But the release came too 
late for Ellis. Barely a month before the world learned of his crowning 
achievement, James H. Ellis died. 

But not before he got to meet his counterpart in the “open com- 
munity.” For years Whit Diffie had been wondering about rumors that 
public key cryptography had indeed been discovered by the spooks. In 
the late 1970s NSA director Bobby Inman made a point of informing 
cryptographer Gus Simmons, who was writing the cryptography entry 
for the Encyclopedia Britannica, that it was an NSA invention. Diffie 
once pressed NSA deputy director Howard Rosenblum on the matter 
and was surprised that Rosenblum referred him not to anyone behind 
the Triple Fence but to a British GCHQ engineer he’d never heard of. 
Without stating his motivation — he hoped it would be obvious — he 
called Ellis, who indicated he might also like a meeting. 

It was September 1982. Diffie had a trip planned to Paris, and his 
itinerary allowed a visit to Cheltenham. Diffie and his wife Mary Fis- 
cher left Paris to the sound of Gregorian chants blaring from every 
radio and television: it was the funeral of Princess Grace of Monaco. 
Diffie and Fischer flew to Heathrow and went to Salisbury for the 
weekend. Then he drove alone to Cheltenham. 

Ellis lived on the outskirts of town; from the back of the house the 
ground fell off steeply, and one had a beautiful view of the town below. 
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He called it the Dilkusha House, which means “little delight” in Per- 
sian. In the backyard he raised bees. Ellis in his late fifties was a tall 
man, going gray. His wife was friendly; they had a daughter bound to 
attend the London School of Economics. After some small talk with 
Ellis’s wife, Diffie and Ellis headed to a pub. 

Diffie turned to Ellis as they pulled out of the driveway. "Tell me,” 
he said, “how you invented nonsecret encryption.” 

“Who says I did?” asked James Ellis. 

Diffie gave him the NSA official’s name. 

“Do you work for him?” asked Ellis. Diffie said no. He was not part 
of the closed community. 

After a bit more of this back-and-forth, Diffie realized that Ellis 
wasn’t going to talk about it. Indeed, Diffie would meet Ellis several 
times more, and while they would come closer to discussing the sub- 
ject, Ellis would never really lay out the story of nonsecret encryption 
as clearly as he did in his papers. But the two scientists would become 
friends. Diffie’s wife, after getting to know Ellis, would come to see a 
clear connection between Ellis and her husband. “They’re both mys- 
tics,” says Mary Fischer. 

Who knows what was going through James Ellis’s head that day? 
He was a man who came across a revolutionary idea and lived to see 
others win fame for its reinvention; who took pains to write a paper 
outlining his contribution and waited, in vain, for it to be published in 
his lifetime; who saw his idea, when presented by others, not only 
flourish but create a new industry and a new community and a vir- 
tual transformation of the subject — so thorough a shift that even the 
shadow world would never be the same. But he could not, and would 
not, break the rules and share his secrets — not even to his private - 
sector doppelganger. 

Later at the pub, Ellis would get Diffie tipsy on hard cider while 
they spoke of anything but the matter that had drawn them together 
and permanently bound them. But before leaving the subject, Ellis 
couldn’t resist a tacit acknowledgment, one that spoke volumes about 
the world he lived in and the new world of cryptography that Diffie 
was helping to create. 

“You did more with it than we did,” said the father of nonsecret 
encryption to the father of public key cryptography. And thereafter 
kept his secret. 
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research was related to speech -encryption work known as “Project X” in 
Bell Labs. In Turing: The Enigma, Andrew Hodges describes Alan Turing’s 
participation in that project, which also benefited from the input of Claude 
Shannon (also at Bell Labs then) and William Friedman. If there was any 
cross -influence of those projects, that means that public key’s heritage 
directly flows from the century’s major prepublic key cryptographic figures. 
323 finished his memo M. J. Williamson, “Non-Secret Encryption Using a 
Finite Field,” CESG Report, January 21, 1974. Cocks’s scheme was “A 
Note on Non-Secret Encryption,” CESG Report, November, 20, 1973. 
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325 small step M. f. Williamson, “Thoughts on Cheaper Non-Secret Encryp- 
tion,” CESG Report, August 10, 1976. 

327 Prime Prime’s story is told in the afterword of Bamford’s The Puzzle 
Palace. 

327 Walker family The Walker tale is nicely laid out in Howard Blum’s / 
Pledge Allegiance . . . New York, Simon & Schuster, 1987. 

327 Boyce and Lee Boyce and Lee are the protagonists in Robert Lindsey’s 
The Falcon and the Snowman, New York, Simon & Schuster, 1979. 
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glossary 


Capstone A National Security Agency-designed chip with capabilities for strong 
encryption and digital signatures, but with key escrow so authorities can 
read encrypted messages. 

Cipher Also known as a cryptographic algorithm, it is the mathematical function 
used to scramble and unscramble messages. 

Ciphertext The (presumably unreadable) state of a message after it has been 
encrypted. 

Clipper Chip The NSA-designed key escrow system earmarked for telephone 
devices. The tamperproof chip offered only the encryption and escrow fea- 
tures of the Capstone’s system. 

Communications Security (COMSEC) The practice of ensuring that codes are 
strong and well implemented. (This is half of the NSA’s mission, along with 
SIGINT.) 

Cryptanalysis Codebreaking — the black art of turning ciphertext back into plain- 
text without using the key. 

Cryptography The use of secret codes and ciphers. 

Cryptology The study and mathematics of secret codes and ciphers. Sometimes 
used interchangeably with cryptography. 

Cryptosystem A means of encrypting data and performing other cryptographic 
functions, often synonymous with the algorithm that performs the actual 
scrambling. 

Data Encryption Standard (DES) A cryptosystem developed by IBM, evolved 
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from the earlier Lucifer. Though originally questioned by critics, this con- 
ventional cipher has proved secure, vulnerable only by what critics consider 
a weak provision for the length of its keys. 

Diffie-Hellman Key Exchange The algorithm devised by Whit Diffie and Marty 
Heilman that allows two people to generate a secret key in such a way that 
each will possess it, but an eavesdropper listening to the entire exchange 
won’t be able to construct it himself. 

Digital Signature Mathematically generated cryptographic data that undeniably 
identify a message with its sender. 

Digital Signature Algorithm (DSA) An algorithm, produced by the NSA, that 
the government endorsed as the Digital Signature Standard. It differs from 
the RSA signature scheme in that it does not encrypt information. 

Encryption The act of scrambling information (into ciphertext) so that inter- 
cepted messages cannot be read. 

Factoring The mathematical feat of taking a number produced by the multiplica- 
tion of two smaller numbers and finding the original figures. This one-way 
function is the basis of the RSA algorithm. 

Hash Function A cryptographic means of compressing a message so that it pro- 
vides a compact “fingerprint” of the original. 

IDEA A conventional cipher used by later versions of PGP, replacing the original 
“Bass-O-Matic.” 

Key The component of a cryptosystem that determines how the message will be 
scrambled. A key applied to a plaintext message becomes ciphertext; the 
same key (or in a public key system, a matching half of a key pair) will 
change it back. 

Key Escrow A shortcut, or trapdoor, intentionally built into cryptosystems that 
allows authorities to quickly decrypt messages, ostensibly without otherwise 
compromising security. 

Key Length The longer the key, the more difficult a cipher is to break by “brute 
force” (testing each different possibility until plaintext emerges) . The range 
of all possible keys is called a keyspace. The amount of effort it takes to con- 
duct a brute-force attack is the workfactor. 

Knapsack Early public key cryptosystem, devised by Ralph Merkle, and subse- 
quently broken. 

Lucifer Conventional cryptosystem devised by Horst Feistel at IBM in the early 
1970s. It was the basis for the 1975 Data Encryption Standard. 

One-Time Pad The only mathematically unbreakable form of cipher; unwieldy as 
it requires a key length as long as the message itself and can never be reused. 

One-Way Function A mathematical operation that is easy to calculate, but 
many times harder to reverse. A trapdoor one-way function has an addi- 
tional feature in that someone with the proper information can reverse the 
calculation. 

Plaintext The original, preencrypted form of a message. 
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Pretty Good Privacy (PGP) Phil Zimmermann’s popular home-grown public key 
cryptosystem, distributed for free on the Internet beginning in 1991. 

Private Key In a public key system, the private key is the component of the key 
pair that must be closely held: only by the use of it can one unscramble mes- 
sages created by the holder’s public key and “sign” messages to verify that 
the holder actually sent them. 

Public Key The component of a key pair that allows others to send private mes- 
sages to its holder. It is also used to verify digitial signatures. It can be 
widely distributed with no compromise in security. 

Public Key Cryptography The breakthrough system devised by Diffie and Hell- 
man in 1975 that eschews symmetric keys for a key pair. 

Random Number Generator (RNG) A part of a computer-based cryptosystem 
that adds unpredictability to the way keys scramble the message. 

RC2, RC4 Conventional ciphers created by Ron Rivest (the RC stands for Rivest 
cipher) . 

Remailer An Internet service that allows people to send electronic messages with- 
out revealing their identities. 

RSA Algorithm The most popular public key cryptosystem, devised by Rivest, 
Shamir, and Adleman in 1977. 

Signals Intelligence (SIGINT) The means of intercepting communications and, 
when necessary, breaking codes. 

Skipjack A strong conventional encryption cipher, produced by the NSA, that was 
at the heart of the Capstone and Clipper schemes. 

Symmetric Key Used in conventional cryptography, a single one of these is used 
by the sender of a message to scramble the text and by the receiver to 
unscramble it. 
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: behind-the-scenes account of what the 
i etive National Security Agency really had in 


when it created the controversial "Clipper 


< . p"-and how the Clinton administration bun- 
i I : the operation. 

. Ll ■ Edition, Levy explores what turned out to be a 
decisive development in the crypto wars-the 
unlikely alliance between the wireheads and big 
business. Their shared goal: to defend our right to 
privacy from the government and other snoops. 

From the writer who made "hackers" a household 
word, Crypto is a groundbreaking book about the 
hottest issue on the electronic frontier. It is des- 
tined to be a classic in its field. 
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an ATM or buy something on the Net without it. To tell the story coherently is 
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liberated crypto from under the noses of spooks and installed the code in the 
dream servers of dot-coms. Crypto not only makes e-commerce possible; it is 
also the first political movement in the digital era. Read about the future here.T. 
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